Bug 1306589 - BMO: CSRF vulnerability allows deleting admin queue entries

4 files changed, 32 insertions, 11 deletions

diff --git a/extensions/Push/lib/Admin.pm b/extensions/Push/lib/Admin.pm
index fa65e0d69..9df2bddcb 100644
--- a/extensions/Push/lib/Admin.pm
+++ b/extensions/Push/lib/Admin.pm
@@ -103,6 +103,8 @@ sub admin_queues {
             || ThrowUserError('push_error', { error_message => 'Invalid message ID' });
 
         if ($input->{delete}) {
+            my $token = $input->{token};
+            check_hash_token($token, ['deleteMessage']);
             $message->remove_from_db();
             $vars->{message} = 'push_message_deleted';
 
diff --git a/extensions/Push/template/en/default/pages/push_queues_view.html.tmpl b/extensions/Push/template/en/default/pages/push_queues_view.html.tmpl
index 6330d8ae4..355e6af91 100644
--- a/extensions/Push/template/en/default/pages/push_queues_view.html.tmpl
+++ b/extensions/Push/template/en/default/pages/push_queues_view.html.tmpl
@@ -14,6 +14,7 @@
 
 [% IF !message_obj %]
     <a href="?id=push_queues.html">Return</a>
+    [% INCLUDE global/footer.html.tmpl %]
     [% RETURN %]
 [% END %]
 
@@ -56,6 +57,24 @@
 [% END %]
 
 <tr>
+  <th class="report-header">Actions</th>
+  <td>
+    <form class="action-button" method="post" action="page.cgi" id="deleteMessage" enctype="multipart/form-data">
+      <input type="hidden" name="token" value="[% issue_hash_token(['deleteMessage']) FILTER html %]">
+      <input type="hidden" name="id" value="push_queues_view.html">
+      <input type="hidden" name="delete" value="1">
+      <input type="hidden" name="message" value="[% message_obj.id FILTER html %]">
+      <input type="hidden" name="connector" value="[% message_obj.connector FILTER html %]">
+      <input type="submit" value="Delete">
+    </form>
+    <form class="action-button" method="post" action="page.cgi" id="returnQueue" enctype="multipart/form-data">
+      <input type="hidden" name="id" value="push_queues.html">
+      <input type="submit" value="Return">
+    </form>
+  </td>
+</tr>
+
+<tr>
   <td colspan="2">
     [% IF json %]
       <pre>[% json FILTER html %]</pre>
@@ -64,17 +83,6 @@
     [% END %]
   </td>
 </tr>
-
-<tr class="report-header">
-  <th colspan="2">
-    <a href="?id=push_queues.html">Return</a> |
-    <a onclick="return confirm('Are you sure you want to delete this message forever (a long time)?')"
-       href="?id=push_queues_view.html&amp;delete=1
-       [%- %]&amp;message=[% message_obj.id FILTER uri %]
-       [%- %]&amp;connector=[% message_obj.connector FILTER uri %]">Delete</a>
-  </th>
-</tr>
-
 </table>
 
 [% INCLUDE global/footer.html.tmpl %]
diff --git a/extensions/Push/web/admin.css b/extensions/Push/web/admin.css
index c204fa62a..96b3b8da5 100644
--- a/extensions/Push/web/admin.css
+++ b/extensions/Push/web/admin.css
@@ -69,3 +69,7 @@
     text-align: right !important;
 }
 
+.action-button {
+    display: inline;
+}
+
diff --git a/extensions/Push/web/admin.js b/extensions/Push/web/admin.js
index 599bfd742..cf1c69e7d 100644
--- a/extensions/Push/web/admin.js
+++ b/extensions/Push/web/admin.js
@@ -35,3 +35,10 @@ function reset_to_defaults() {
     }
   }
 }
+
+$(function() {
+    $('#deleteMessage input[type=submit]')
+        .click(function(event) {
+            return confirm('Are you sure you want to delete this message forever (a long time)?');
+        });
+});