summaryrefslogtreecommitdiffstats
path: root/extensions/BMO/template
diff options
context:
space:
mode:
authorDylan Hardison <dylan@mozilla.com>2016-03-10 04:20:00 +0100
committerDylan Hardison <dylan@mozilla.com>2016-03-10 04:20:16 +0100
commit3c360d80785b076c143ad350acb8e02b3833a0b4 (patch)
tree399cba1c95e9d215705435decf0f234705cc7e76 /extensions/BMO/template
parent844c6238baf72dfa79ad7e33f2bc1947cbf5b3f5 (diff)
downloadbugzilla-3c360d80785b076c143ad350acb8e02b3833a0b4.tar.gz
bugzilla-3c360d80785b076c143ad350acb8e02b3833a0b4.tar.xz
Bug 1252578 - CSRF and SELECT-only SQL execution attack against query_database.html
Diffstat (limited to 'extensions/BMO/template')
-rw-r--r--extensions/BMO/template/en/default/pages/query_database.html.tmpl1
1 files changed, 1 insertions, 0 deletions
diff --git a/extensions/BMO/template/en/default/pages/query_database.html.tmpl b/extensions/BMO/template/en/default/pages/query_database.html.tmpl
index 97f5c0a25..79c5be1d8 100644
--- a/extensions/BMO/template/en/default/pages/query_database.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/query_database.html.tmpl
@@ -15,6 +15,7 @@
<input type="hidden" name="id" value="query_database.html">
<textarea cols="80" rows="10" name="query">[% query FILTER html %]</textarea><br>
<input type="submit" value="Execute">
+<input type="hidden" name="token" value="[% issue_hash_token(['query_database']) FILTER html %]">
</form>
[% IF executed %]