Bug 621107: [SECURITY] Sanity checking lacks CSRF protection

r=dkl a=LpSolit

2 files changed, 4 insertions, 2 deletions

diff --git a/extensions/Example/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl b/extensions/Example/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl
index 8a825e57c..639752ed5 100644
--- a/extensions/Example/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl
+++ b/extensions/Example/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl
@@ -27,7 +27,8 @@
     <a href="editusers.cgi?id=[% userid FILTER none %]">Edit this user</a>.
   [% END %]
 [% ELSIF san_tag == "example_check_au_user_prompt" %]
-  <a href="sanitycheck.cgi?example_repair_au_user=1">Fix these users</a>.
+  <a href="sanitycheck.cgi?example_repair_au_user=1&amp;token=
+     [%- issue_hash_token(['sanitycheck']) FILTER uri %]">Fix these users</a>.
 [% ELSIF san_tag == "example_repair_au_user_start" %]
   <em>EXAMPLE PLUGIN</em> - OK, would now make users Australian.
 [% ELSIF san_tag == "example_repair_au_user_end" %]
diff --git a/extensions/Voting/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl b/extensions/Voting/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl
index afb81d34c..bbf0350a1 100644
--- a/extensions/Voting/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl
+++ b/extensions/Voting/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl
@@ -19,7 +19,8 @@
   #%]
 
 [% IF san_tag == "voting_cache_rebuild_fix" %]
-    <a href="sanitycheck.cgi?rebuild_vote_cache=1">Click here to
+    <a href="sanitycheck.cgi?rebuild_vote_cache=1&amp;token=
+       [%- issue_hash_token(['sanitycheck']) FILTER uri %]">Click here to
     rebuild the vote cache</a>
 
 [% ELSIF san_tag == "voting_cache_alert" %]