diff options
| author | David Lawrence <dlawrence@mozilla.com> | 2011-01-24 20:35:31 +0100 |
|---|---|---|
| committer | David Lawrence <dlawrence@mozilla.com> | 2011-01-24 20:35:31 +0100 |
| commit | ad1e3aef99b806d7f4a5bd18aa0c8cc6102f62e6 (patch) | |
| tree | e06da7523a0a54ca0e8f6c7d63185a1d76fa6607 | |
| parent | 9244270a7d1ca49e315a98c24d51bf405bfa2880 (diff) | |
| download | bugzilla-ad1e3aef99b806d7f4a5bd18aa0c8cc6102f62e6.tar.gz bugzilla-ad1e3aef99b806d7f4a5bd18aa0c8cc6102f62e6.tar.xz | |
Bug 621105 - [SECURITY] Voting lacks CSRF protection
r=mkanat,a=LpSolit
| -rw-r--r-- | extensions/Voting/Extension.pm | 4 | ||||
| -rw-r--r-- | extensions/Voting/template/en/default/pages/voting/user.html.tmpl | 1 | ||||
| -rw-r--r-- | extensions/Voting/template/en/default/voting/delete-all.html.tmpl | 1 |
3 files changed, 6 insertions, 0 deletions
diff --git a/extensions/Voting/Extension.pm b/extensions/Voting/Extension.pm index d94ff8430..8417e0ec3 100644 --- a/extensions/Voting/Extension.pm +++ b/extensions/Voting/Extension.pm @@ -36,6 +36,7 @@ use Bugzilla::Field; use Bugzilla::Mailer; use Bugzilla::User; use Bugzilla::Util qw(detaint_natural); +use Bugzilla::Token; use List::Util qw(min); @@ -529,6 +530,9 @@ sub _update_votes { || ThrowUserError("voting_must_be_nonnegative"); } + my $token = $cgi->param('token'); + check_hash_token($token, ['vote']); + ############################################################################ # End Data/Security Validation ############################################################################ diff --git a/extensions/Voting/template/en/default/pages/voting/user.html.tmpl b/extensions/Voting/template/en/default/pages/voting/user.html.tmpl index f2ac160f8..dbceaf217 100644 --- a/extensions/Voting/template/en/default/pages/voting/user.html.tmpl +++ b/extensions/Voting/template/en/default/pages/voting/user.html.tmpl @@ -74,6 +74,7 @@ [% IF products.size %] <form name="voting_form" method="post" action="page.cgi?id=voting/user.html"> <input type="hidden" name="action" value="vote"> + <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]"> <table cellspacing="4"> <tr> <td></td> diff --git a/extensions/Voting/template/en/default/voting/delete-all.html.tmpl b/extensions/Voting/template/en/default/voting/delete-all.html.tmpl index 82ddc3596..f0d3b7e13 100644 --- a/extensions/Voting/template/en/default/voting/delete-all.html.tmpl +++ b/extensions/Voting/template/en/default/voting/delete-all.html.tmpl @@ -35,6 +35,7 @@ <form action="page.cgi?id=voting/user.html" method="post"> <input type="hidden" name="action" value="vote"> + <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]"> <p> <input type="radio" name="delete_all_votes" value="1"> Yes, delete all my votes |