diff options
author | David Lawrence <dkl@mozilla.com> | 2016-10-04 15:16:48 +0200 |
---|---|---|
committer | David Lawrence <dkl@mozilla.com> | 2016-10-04 15:16:48 +0200 |
commit | 125734746e1d48514b2e9affb8dd793d600b7c17 (patch) | |
tree | 6729dae6c3ed8e55b0b086dc2e8333994fc566da /extensions/Push/lib | |
parent | 3078746b2997a75cc4ec2092f41f2003266cd6fd (diff) | |
download | bugzilla-125734746e1d48514b2e9affb8dd793d600b7c17.tar.gz bugzilla-125734746e1d48514b2e9affb8dd793d600b7c17.tar.xz |
Bug 1306589 - BMO: CSRF vulnerability allows deleting admin queue entries
Diffstat (limited to 'extensions/Push/lib')
-rw-r--r-- | extensions/Push/lib/Admin.pm | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/extensions/Push/lib/Admin.pm b/extensions/Push/lib/Admin.pm index fa65e0d69..9df2bddcb 100644 --- a/extensions/Push/lib/Admin.pm +++ b/extensions/Push/lib/Admin.pm @@ -103,6 +103,8 @@ sub admin_queues { || ThrowUserError('push_error', { error_message => 'Invalid message ID' }); if ($input->{delete}) { + my $token = $input->{token}; + check_hash_token($token, ['deleteMessage']); $message->remove_from_db(); $vars->{message} = 'push_message_deleted'; |