diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2011-01-24 18:23:39 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2011-01-24 18:23:39 +0100 |
commit | fee4dfba5bce719769ee2733a0e7b824aaf298d6 (patch) | |
tree | 2ff0b5859ab1f8b1b1d3406377cbe7f19093c961 | |
parent | 10b4a9266d92269fd48d12d1a6de983858ea9b74 (diff) | |
download | bugzilla-fee4dfba5bce719769ee2733a0e7b824aaf298d6.tar.gz bugzilla-fee4dfba5bce719769ee2733a0e7b824aaf298d6.tar.xz |
Bug 621110: [SECURITY] Quips (adding/approving/deleting) lacks CSRF protection
r=dkl a=LpSolit
-rwxr-xr-x | quips.cgi | 7 | ||||
-rw-r--r-- | template/en/default/list/quips.html.tmpl | 7 |
2 files changed, 12 insertions, 2 deletions
@@ -32,6 +32,7 @@ use Bugzilla::Constants; use Bugzilla::Util; use Bugzilla::Error; use Bugzilla::User; +use Bugzilla::Token; my $user = Bugzilla->login(LOGIN_REQUIRED); @@ -41,6 +42,7 @@ my $template = Bugzilla->template; my $vars = {}; my $action = $cgi->param('action') || ""; +my $token = $cgi->param('token'); if ($action eq "show") { # Read in the entire quip list @@ -74,6 +76,7 @@ if ($action eq "add") { (Bugzilla->params->{'quip_list_entry_control'} eq "closed") && ThrowUserError("no_new_quips"); + check_hash_token($token, ['create-quips']); # Add the quip my $approved = (Bugzilla->params->{'quip_list_entry_control'} eq "open") || Bugzilla->user->in_group('admin') || 0; @@ -92,7 +95,8 @@ if ($action eq 'approve') { || ThrowUserError("auth_failure", {group => "admin", action => "approve", object => "quips"}); - + + check_hash_token($token, ['approve-quips']); # Read in the entire quip list my $quipsref = $dbh->selectall_arrayref("SELECT quipid, approved FROM quips"); @@ -134,6 +138,7 @@ if ($action eq "delete") { my $quipid = $cgi->param("quipid"); ThrowCodeError("need_quipid") unless $quipid =~ /(\d+)/; $quipid = $1; + check_hash_token($token, ['quips', $quipid]); ($vars->{'deleted_quip'}) = $dbh->selectrow_array( "SELECT quip FROM quips WHERE quipid = ?", diff --git a/template/en/default/list/quips.html.tmpl b/template/en/default/list/quips.html.tmpl index 1870ffcf2..62395d27f 100644 --- a/template/en/default/list/quips.html.tmpl +++ b/template/en/default/list/quips.html.tmpl @@ -73,6 +73,8 @@ <form method="post" action="quips.cgi"> <input type="hidden" name="action" value="add"> + <input type="hidden" name="token" + value="[% issue_hash_token(['create-quips']) FILTER html %]"> <input size="80" name="quip"> <p> <input type="submit" id="add" value="Add This Quip"> @@ -103,6 +105,8 @@ </p> <form name="editform" method="post" action="quips.cgi"> <input type="hidden" name="action" value="approve"> + <input type="hidden" name="token" + value="[% issue_hash_token(['approve-quips']) FILTER html %]"> <table border="1"> <thead><tr> <th>Quip</th> @@ -119,7 +123,8 @@ [% "Unknown" IF NOT users.$userid %] </td> <td> - <a href="quips.cgi?action=delete&quipid=[% quipid FILTER uri %]"> + <a href="quips.cgi?action=delete&quipid=[% quipid FILTER uri %]&token= + [%- issue_hash_token(['quips', quipid]) FILTER uri %]"> Delete </a> </td> |