summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2009-02-02 19:37:24 +0100
committerlpsolit%gmail.com <>2009-02-02 19:37:24 +0100
commitecd9480e65f4f57575b5c9414f70eed36590771c (patch)
tree407d438d0a69caeb642b354392720380068b9698
parentdc51769c9f7fb84ac2e43112f2d106a4770f5781 (diff)
downloadbugzilla-ecd9480e65f4f57575b5c9414f70eed36590771c.tar.gz
bugzilla-ecd9480e65f4f57575b5c9414f70eed36590771c.tar.xz
Second part of bug 26257: [SECURITY] Bugzilla should prevent malicious webpages from making bugzilla users submit changes to bugs
-rw-r--r--template/en/default/global/confirm-action.html.tmpl63
1 files changed, 63 insertions, 0 deletions
diff --git a/template/en/default/global/confirm-action.html.tmpl b/template/en/default/global/confirm-action.html.tmpl
new file mode 100644
index 000000000..e57a83c28
--- /dev/null
+++ b/template/en/default/global/confirm-action.html.tmpl
@@ -0,0 +1,63 @@
+[%# The contents of this file are subject to the Mozilla Public
+ # License Version 1.1 (the "License"); you may not use this file
+ # except in compliance with the License. You may obtain a copy of
+ # the License at http://www.mozilla.org/MPL/
+ #
+ # Software distributed under the License is distributed on an "AS
+ # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ # implied. See the License for the specific language governing
+ # rights and limitations under the License.
+ #
+ # The Original Code is the Bugzilla Bug Tracking System.
+ #
+ # The Initial Developer of the Original Code is Frédéric Buclin.
+ # Portions created by Frédéric Buclin are Copyright (C) 2008
+ # Frédéric Buclin. All Rights Reserved.
+ #
+ # Contributor(s): Frédéric Buclin <LpSolit@gmail.com>
+ #%]
+
+[%# INTERFACE:
+ # script_name: the script generating this warning.
+ # token: a valid token for the current action.
+ # reason: reason of the failure.
+ #%]
+
+[% PROCESS global/header.html.tmpl title = "Suspicious Action"
+ style_urls = ['skins/standard/global.css'] %]
+
+<div class="throw_error">
+ [% IF reason == "expired_token" %]
+ Your changes have been rejected because you exceeded the time limit
+ of [% constants.MAX_TOKEN_AGE FILTER html %] days before submitting your
+ changes to [% script_name FILTER html %]. Your page may have been displayed
+ for too long, or old changes have been resubmitted by accident.
+
+ [% ELSIF reason == "missing_token" %]
+ It looks like you didn't come from the right page.
+ One reason could be that you entered the URL in the address bar of your
+ web browser directly, which should be safe. Another reason could be that
+ you clicked on a URL which redirected you here <b>without your consent</b>.
+
+ [% ELSIF reason == "invalid_token" %]
+ You submitted changes to [% script_name FILTER html %] with an invalid
+ token, which may indicate that someone tried to abuse you, for instance
+ by making you click on a URL which redirected you here <b>without your
+ consent</b>.
+ [% END %]
+ <p>
+ Are you sure you want to commit these changes?
+ </p>
+</div>
+
+<form name="check" id="check" method="post" action="[% script_name FILTER html %]">
+ [% PROCESS "global/hidden-fields.html.tmpl"
+ exclude="^(Bugzilla_login|Bugzilla_password|token)$" %]
+ <input type="hidden" name="token" value="[% token FILTER html %]">
+ <input type="submit" id="confirm" value="Yes, Confirm Changes">
+</form>
+
+<p><a href="index.cgi">No, throw away these changes</a> (you will be redirected
+to the home page).</p>
+
+[% PROCESS global/footer.html.tmpl %]