diff options
author | lpsolit%gmail.com <> | 2009-02-02 19:37:24 +0100 |
---|---|---|
committer | lpsolit%gmail.com <> | 2009-02-02 19:37:24 +0100 |
commit | ecd9480e65f4f57575b5c9414f70eed36590771c (patch) | |
tree | 407d438d0a69caeb642b354392720380068b9698 | |
parent | dc51769c9f7fb84ac2e43112f2d106a4770f5781 (diff) | |
download | bugzilla-ecd9480e65f4f57575b5c9414f70eed36590771c.tar.gz bugzilla-ecd9480e65f4f57575b5c9414f70eed36590771c.tar.xz |
Second part of bug 26257: [SECURITY] Bugzilla should prevent malicious webpages from making bugzilla users submit changes to bugs
-rw-r--r-- | template/en/default/global/confirm-action.html.tmpl | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/template/en/default/global/confirm-action.html.tmpl b/template/en/default/global/confirm-action.html.tmpl new file mode 100644 index 000000000..e57a83c28 --- /dev/null +++ b/template/en/default/global/confirm-action.html.tmpl @@ -0,0 +1,63 @@ +[%# The contents of this file are subject to the Mozilla Public + # License Version 1.1 (the "License"); you may not use this file + # except in compliance with the License. You may obtain a copy of + # the License at http://www.mozilla.org/MPL/ + # + # Software distributed under the License is distributed on an "AS + # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + # implied. See the License for the specific language governing + # rights and limitations under the License. + # + # The Original Code is the Bugzilla Bug Tracking System. + # + # The Initial Developer of the Original Code is Frédéric Buclin. + # Portions created by Frédéric Buclin are Copyright (C) 2008 + # Frédéric Buclin. All Rights Reserved. + # + # Contributor(s): Frédéric Buclin <LpSolit@gmail.com> + #%] + +[%# INTERFACE: + # script_name: the script generating this warning. + # token: a valid token for the current action. + # reason: reason of the failure. + #%] + +[% PROCESS global/header.html.tmpl title = "Suspicious Action" + style_urls = ['skins/standard/global.css'] %] + +<div class="throw_error"> + [% IF reason == "expired_token" %] + Your changes have been rejected because you exceeded the time limit + of [% constants.MAX_TOKEN_AGE FILTER html %] days before submitting your + changes to [% script_name FILTER html %]. Your page may have been displayed + for too long, or old changes have been resubmitted by accident. + + [% ELSIF reason == "missing_token" %] + It looks like you didn't come from the right page. + One reason could be that you entered the URL in the address bar of your + web browser directly, which should be safe. Another reason could be that + you clicked on a URL which redirected you here <b>without your consent</b>. + + [% ELSIF reason == "invalid_token" %] + You submitted changes to [% script_name FILTER html %] with an invalid + token, which may indicate that someone tried to abuse you, for instance + by making you click on a URL which redirected you here <b>without your + consent</b>. + [% END %] + <p> + Are you sure you want to commit these changes? + </p> +</div> + +<form name="check" id="check" method="post" action="[% script_name FILTER html %]"> + [% PROCESS "global/hidden-fields.html.tmpl" + exclude="^(Bugzilla_login|Bugzilla_password|token)$" %] + <input type="hidden" name="token" value="[% token FILTER html %]"> + <input type="submit" id="confirm" value="Yes, Confirm Changes"> +</form> + +<p><a href="index.cgi">No, throw away these changes</a> (you will be redirected +to the home page).</p> + +[% PROCESS global/footer.html.tmpl %] |