diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2011-01-24 18:04:59 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2011-01-24 18:04:59 +0100 |
| commit | f6c4abda55c83a53d32d5958cc9c81a602423c89 (patch) | |
| tree | 9778fcd7fea9c2fc0bf3b13f68113efa22c7ce3c | |
| parent | 4ab5bc9f4c4ba4a7b20ebf00466f9b2de67f311d (diff) | |
| download | bugzilla-f6c4abda55c83a53d32d5958cc9c81a602423c89.tar.gz bugzilla-f6c4abda55c83a53d32d5958cc9c81a602423c89.tar.xz | |
Bug 621107: [SECURITY] Sanity checking lacks CSRF protection
r=dkl a=LpSolit
4 files changed, 26 insertions, 8 deletions
diff --git a/extensions/Example/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl b/extensions/Example/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl index 8a825e57c..639752ed5 100644 --- a/extensions/Example/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl +++ b/extensions/Example/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl @@ -27,7 +27,8 @@ <a href="editusers.cgi?id=[% userid FILTER none %]">Edit this user</a>. [% END %] [% ELSIF san_tag == "example_check_au_user_prompt" %] - <a href="sanitycheck.cgi?example_repair_au_user=1">Fix these users</a>. + <a href="sanitycheck.cgi?example_repair_au_user=1&token= + [%- issue_hash_token(['sanitycheck']) FILTER uri %]">Fix these users</a>. [% ELSIF san_tag == "example_repair_au_user_start" %] <em>EXAMPLE PLUGIN</em> - OK, would now make users Australian. [% ELSIF san_tag == "example_repair_au_user_end" %] diff --git a/extensions/Voting/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl b/extensions/Voting/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl index afb81d34c..bbf0350a1 100644 --- a/extensions/Voting/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl +++ b/extensions/Voting/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl @@ -19,7 +19,8 @@ #%] [% IF san_tag == "voting_cache_rebuild_fix" %] - <a href="sanitycheck.cgi?rebuild_vote_cache=1">Click here to + <a href="sanitycheck.cgi?rebuild_vote_cache=1&token= + [%- issue_hash_token(['sanitycheck']) FILTER uri %]">Click here to rebuild the vote cache</a> [% ELSIF san_tag == "voting_cache_alert" %] diff --git a/sanitycheck.cgi b/sanitycheck.cgi index a4f9832b0..6bf113b24 100755 --- a/sanitycheck.cgi +++ b/sanitycheck.cgi @@ -35,6 +35,7 @@ use Bugzilla::Error; use Bugzilla::Hook; use Bugzilla::Util; use Bugzilla::Status; +use Bugzilla::Token; ########################################################################### # General subs @@ -79,6 +80,15 @@ if (Bugzilla->usage_mode == USAGE_MODE_CMDLINE) { } else { $template = Bugzilla->template; + + # Only check the token if we are running this script from the + # web browser and a parameter is passed to the script. + # XXX - Maybe these two parameters should be deleted once logged in? + $cgi->delete('GoAheadAndLogIn', 'Bugzilla_restrictlogin'); + if (scalar($cgi->param())) { + my $token = $cgi->param('token'); + check_hash_token($token, ['sanitycheck']); + } } my $vars = {}; diff --git a/template/en/default/admin/sanitycheck/messages.html.tmpl b/template/en/default/admin/sanitycheck/messages.html.tmpl index af0f9e572..88264d820 100644 --- a/template/en/default/admin/sanitycheck/messages.html.tmpl +++ b/template/en/default/admin/sanitycheck/messages.html.tmpl @@ -34,7 +34,8 @@ [% errortext FILTER html %]: [% INCLUDE bug_list badbugs = badbugs %] [% ELSIF san_tag == "bug_check_repair" %] - <a href="sanitycheck.cgi?[% param FILTER uri %]=1">[% text FILTER html %]</a>. + <a href="sanitycheck.cgi?[% param FILTER uri %]=1&token= + [%- issue_hash_token(['sanitycheck']) FILTER uri %]">[% text FILTER html %]</a>. [% ELSIF san_tag == "bug_check_creation_date" %] Checking for [% terms.bugs %] with no creation date (which makes them invisible). @@ -136,11 +137,13 @@ [% END %] [% ELSIF san_tag == "cross_check_attachment_has_references" %] - <a href="sanitycheck.cgi?remove_invalid_attach_references=1">Remove + <a href="sanitycheck.cgi?remove_invalid_attach_references=1&token= + [%- issue_hash_token(['sanitycheck']) FILTER uri %]">Remove invalid references to non existent attachments.</a> [% ELSIF san_tag == "cross_check_bug_has_references" %] - <a href="sanitycheck.cgi?remove_invalid_bug_references=1">Remove + <a href="sanitycheck.cgi?remove_invalid_bug_references=1&token= + [%- issue_hash_token(['sanitycheck']) FILTER uri %]">Remove invalid references to non existent [% terms.bugs %].</a> [% ELSIF san_tag == "double_cross_check_to" %] @@ -186,7 +189,8 @@ [%+ PROCESS bug_link bug_id = bug_id %]. [% ELSIF san_tag == "flag_fix" %] - <a href="sanitycheck.cgi?remove_invalid_flags=1">Click + <a href="sanitycheck.cgi?remove_invalid_flags=1&token= + [%- issue_hash_token(['sanitycheck']) FILTER uri %]">Click here to delete invalid flags</a> [% ELSIF san_tag == "group_control_map_entries_creation" %] @@ -250,7 +254,8 @@ half an hour: [% INCLUDE bug_list badbugs = badbugs %] [% ELSIF san_tag == "unsent_bugmail_fix" %] - <a href="sanitycheck.cgi?rescanallBugMail=1">Send these mails</a>. + <a href="sanitycheck.cgi?rescanallBugMail=1&token= + [%- issue_hash_token(['sanitycheck']) FILTER uri %]">Send these mails</a>. [% ELSIF san_tag == "whines_obsolete_target_deletion_start" %] OK, now removing non-existent users/groups from whines. @@ -268,7 +273,8 @@ [% END %] [% ELSIF san_tag == "whines_obsolete_target_fix" %] - <a href="sanitycheck.cgi?remove_old_whine_targets=1">Click here to + <a href="sanitycheck.cgi?remove_old_whine_targets=1&token= + [%- issue_hash_token(['sanitycheck']) FILTER uri %]">Click here to remove old users/groups</a> [% ELSE %] |