Bug 26257: [SECURITY] Bugzilla should prevent malicious webpages from making bugzilla users submit changes to bugs - Patch by FrÃ©dÃ©ric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit

author: lpsolit%gmail.com <> 2009-02-02 19:33:29 +0100
committer: lpsolit%gmail.com <> 2009-02-02 19:33:29 +0100
commit: dc51769c9f7fb84ac2e43112f2d106a4770f5781 (patch)
tree: 2e33c5042d7608871c661a843c3c991da07693d7 /Bugzilla/Install
parent: 8d70890dc0b7c24b25a344808ac4e63e6a5dd74e (diff)
download: bugzilla-dc51769c9f7fb84ac2e43112f2d106a4770f5781.tar.gz
bugzilla-dc51769c9f7fb84ac2e43112f2d106a4770f5781.tar.xz
1 files changed, 13 insertions, 0 deletions
diff --git a/Bugzilla/Install/Localconfig.pm b/Bugzilla/Install/Localconfig.pm
index 45005f032..654b44b9f 100644
--- a/Bugzilla/Install/Localconfig.pm
+++ b/Bugzilla/Install/Localconfig.pm
@@ -32,6 +32,7 @@ use strict;
 
 use Bugzilla::Constants;
 use Bugzilla::Install::Util qw(bin_loc);
+use Bugzilla::Util qw(generate_random_password);
 
 use Data::Dumper;
 use File::Basename qw(dirname);
@@ -185,6 +186,18 @@ EOT
 # Please specify the directory name only; do not use trailing slash.
 EOT
     },
+    {
+        name    => 'site_wide_secret',
+        default => generate_random_password(256),
+        desc    => <<EOT
+# This secret key is used by your installation for the creation and
+# validation of encrypted tokens to prevent unsolicited changes,
+# such as bug changes. A random string is generated by default.
+# It's very important that this key is kept secret. It also must be
+# very long.
+
+EOT
+    },
 );
 
 sub read_localconfig {
author	lpsolit%gmail.com <>	2009-02-02 19:33:29 +0100
committer	lpsolit%gmail.com <>	2009-02-02 19:33:29 +0100
commit	dc51769c9f7fb84ac2e43112f2d106a4770f5781 (patch)
tree	2e33c5042d7608871c661a843c3c991da07693d7 /Bugzilla/Install
parent	8d70890dc0b7c24b25a344808ac4e63e6a5dd74e (diff)
download	bugzilla-dc51769c9f7fb84ac2e43112f2d106a4770f5781.tar.gz bugzilla-dc51769c9f7fb84ac2e43112f2d106a4770f5781.tar.xz