diff options
author | Dylan Hardison <dylan@mozilla.com> | 2016-03-10 04:20:00 +0100 |
---|---|---|
committer | Dylan Hardison <dylan@mozilla.com> | 2016-03-10 04:20:16 +0100 |
commit | 3c360d80785b076c143ad350acb8e02b3833a0b4 (patch) | |
tree | 399cba1c95e9d215705435decf0f234705cc7e76 /extensions | |
parent | 844c6238baf72dfa79ad7e33f2bc1947cbf5b3f5 (diff) | |
download | bugzilla-3c360d80785b076c143ad350acb8e02b3833a0b4.tar.gz bugzilla-3c360d80785b076c143ad350acb8e02b3833a0b4.tar.xz |
Bug 1252578 - CSRF and SELECT-only SQL execution attack against query_database.html
Diffstat (limited to 'extensions')
-rw-r--r-- | extensions/BMO/Extension.pm | 1 | ||||
-rw-r--r-- | extensions/BMO/template/en/default/pages/query_database.html.tmpl | 1 |
2 files changed, 2 insertions, 0 deletions
diff --git a/extensions/BMO/Extension.pm b/extensions/BMO/Extension.pm index a72f3d1be..75b8df456 100644 --- a/extensions/BMO/Extension.pm +++ b/extensions/BMO/Extension.pm @@ -2133,6 +2133,7 @@ sub query_database { $vars->{query} = $query; if ($query) { + check_hash_token($input->{token}, ['query_database']); trick_taint($query); $vars->{executed} = 1; diff --git a/extensions/BMO/template/en/default/pages/query_database.html.tmpl b/extensions/BMO/template/en/default/pages/query_database.html.tmpl index 97f5c0a25..79c5be1d8 100644 --- a/extensions/BMO/template/en/default/pages/query_database.html.tmpl +++ b/extensions/BMO/template/en/default/pages/query_database.html.tmpl @@ -15,6 +15,7 @@ <input type="hidden" name="id" value="query_database.html"> <textarea cols="80" rows="10" name="query">[% query FILTER html %]</textarea><br> <input type="submit" value="Execute"> +<input type="hidden" name="token" value="[% issue_hash_token(['query_database']) FILTER html %]"> </form> [% IF executed %] |