Bug 713926: (CVE-2014-1517) [SECURITY] Login form lacks CSRF protection

r=dkl a=justdave
author: Frédéric Buclin <LpSolit@gmail.com> 2014-04-17 18:11:12 +0200
committer: Frédéric Buclin <LpSolit@gmail.com> 2014-04-17 18:11:12 +0200
commit: 0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 (patch)
tree: 5e3a8751012a0c99769129494d1863a3a9ca5d9f /Bugzilla/Template.pm
parent: b639a1a7f4ed58f8d30058509444e44be3095f53 (diff)
download: bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.gz
bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.xz
1 files changed, 5 insertions, 0 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index b8fcae107..56d31dd2d 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -920,6 +920,11 @@ sub create {
             # Allow templates to generate a token themselves.
             'issue_hash_token' => \&Bugzilla::Token::issue_hash_token,
 
+            'get_login_request_token' => sub {
+                my $cookie = Bugzilla->cgi->cookie('Bugzilla_login_request_cookie');
+                return $cookie ? issue_hash_token(['login_request', $cookie]) : '';
+            },
+
             # A way for all templates to get at Field data, cached.
             'bug_fields' => sub {
                 my $cache = Bugzilla->request_cache;
author	Frédéric Buclin <LpSolit@gmail.com>	2014-04-17 18:11:12 +0200
committer	Frédéric Buclin <LpSolit@gmail.com>	2014-04-17 18:11:12 +0200
commit	0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 (patch)
tree	5e3a8751012a0c99769129494d1863a3a9ca5d9f /Bugzilla/Template.pm
parent	b639a1a7f4ed58f8d30058509444e44be3095f53 (diff)
download	bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.gz bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.xz