Bug 466692: [SECURITY] keywords and unused flag types can be deleted by bypassing the token check - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit

2 files changed, 2 insertions, 3 deletions

diff --git a/template/en/default/admin/keywords/confirm-delete.html.tmpl b/template/en/default/admin/keywords/confirm-delete.html.tmpl
index 6bde05abf..20a6deee7 100755..100644
--- a/template/en/default/admin/keywords/confirm-delete.html.tmpl
+++ b/template/en/default/admin/keywords/confirm-delete.html.tmpl
@@ -31,7 +31,7 @@
 <p>
   [% IF keyword.bug_count == 1 %]
     There is one [% terms.bug %] with this keyword set.
-  [% ELSE %]
+  [% ELSIF keyword.bug_count > 1 %]
     There are [% keyword.bug_count FILTER html %] [%+ terms.bugs %] with
     this keyword set.
   [% END %]
@@ -43,7 +43,6 @@
 <form method="post" action="editkeywords.cgi">
   <input type="hidden" name="id" value="[% keyword.id FILTER html %]">
   <input type="hidden" name="action" value="delete">
-  <input type="hidden" name="reallydelete" value="1">
   <input type="hidden" name="token" value="[% token FILTER html %]">
   <input type="submit" id="delete"
          value="Yes, really delete the keyword">
diff --git a/template/en/default/admin/keywords/list.html.tmpl b/template/en/default/admin/keywords/list.html.tmpl
index 5fb6b3aa6..c400a2362 100755..100644
--- a/template/en/default/admin/keywords/list.html.tmpl
+++ b/template/en/default/admin/keywords/list.html.tmpl
@@ -54,7 +54,7 @@
      { 
        heading => "Action" 
        content => "Delete"
-       contentlink => "editkeywords.cgi?action=delete&amp;id=%%id%%"
+       contentlink => "editkeywords.cgi?action=del&amp;id=%%id%%"
      }
    ]
 %]