Bug 713926: (CVE-2014-1517) [SECURITY] Login form lacks CSRF protection

r=dkl a=justdave
author: Frédéric Buclin <LpSolit@gmail.com> 2014-04-17 18:11:12 +0200
committer: Frédéric Buclin <LpSolit@gmail.com> 2014-04-17 18:11:12 +0200
commit: 0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 (patch)
tree: 5e3a8751012a0c99769129494d1863a3a9ca5d9f /template/en/default/account/auth/login-small.html.tmpl
parent: b639a1a7f4ed58f8d30058509444e44be3095f53 (diff)
download: bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.gz
bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/template/en/default/account/auth/login-small.html.tmpl b/template/en/default/account/auth/login-small.html.tmpl
index 32dbe431b..5868b8671 100644
--- a/template/en/default/account/auth/login-small.html.tmpl
+++ b/template/en/default/account/auth/login-small.html.tmpl
@@ -46,7 +46,9 @@
              [%+ "checked" IF Param('rememberlogin') == "defaulton" %]>
       <label for="Bugzilla_remember[% qs_suffix %]">Remember</label>
     [% END %]
-    <input type="submit" name="GoAheadAndLogIn" value="Log in" 
+    <input type="hidden" name="Bugzilla_login_token"
+           value="[% get_login_request_token() FILTER html %]">
+    <input type="submit" name="GoAheadAndLogIn" value="Log in"
             id="log_in[% qs_suffix %]">
     <a href="#" onclick="return hide_mini_login_form('[% qs_suffix %]')">[x]</a>
   </form>
author	Frédéric Buclin <LpSolit@gmail.com>	2014-04-17 18:11:12 +0200
committer	Frédéric Buclin <LpSolit@gmail.com>	2014-04-17 18:11:12 +0200
commit	0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 (patch)
tree	5e3a8751012a0c99769129494d1863a3a9ca5d9f /template/en/default/account/auth/login-small.html.tmpl
parent	b639a1a7f4ed58f8d30058509444e44be3095f53 (diff)
download	bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.gz bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.xz