Bug 1157395: CSRF in log in form

author: David Lawrence <dkl@mozilla.com> 2015-04-24 17:56:26 +0200
committer: David Lawrence <dkl@mozilla.com> 2015-04-24 17:56:26 +0200
commit: 283be21f66e638667bc2ec7720cab459ecf1f698 (patch)
tree: cdbfbb79d503373bb2058a96f369cf75542dbe3b /template/en/default/admin
parent: ed92da4fed393bb0f645f7bad022d49fed336a2f (diff)
download: bugzilla-283be21f66e638667bc2ec7720cab459ecf1f698.tar.gz
bugzilla-283be21f66e638667bc2ec7720cab459ecf1f698.tar.xz
1 files changed, 3 insertions, 2 deletions
diff --git a/template/en/default/admin/sudo.html.tmpl b/template/en/default/admin/sudo.html.tmpl
index c96a68ec1..9c0605567 100644
--- a/template/en/default/admin/sudo.html.tmpl
+++ b/template/en/default/admin/sudo.html.tmpl
@@ -82,9 +82,10 @@
     <p>
       Finally, enter <label for="Bugzilla_password">your [% terms.Bugzilla %]
       password</label>:
-      <input type="hidden" name="Bugzilla_login" value="
-      [%- user.login FILTER html %]">
+      <input type="hidden" name="Bugzilla_login" value="[% user.login FILTER html %]">
       <input type="password" id="Bugzilla_password" name="Bugzilla_password" size="20">
+      <input type="hidden" name="Bugzilla_login_token"
+             value="[% login_request_token FILTER html %]">
       <br>
       This is done for two reasons.  First of all, it is done to reduce 
       the chances of someone doing large amounts of damage using your
author	David Lawrence <dkl@mozilla.com>	2015-04-24 17:56:26 +0200
committer	David Lawrence <dkl@mozilla.com>	2015-04-24 17:56:26 +0200
commit	283be21f66e638667bc2ec7720cab459ecf1f698 (patch)
tree	cdbfbb79d503373bb2058a96f369cf75542dbe3b /template/en/default/admin
parent	ed92da4fed393bb0f645f7bad022d49fed336a2f (diff)
download	bugzilla-283be21f66e638667bc2ec7720cab459ecf1f698.tar.gz bugzilla-283be21f66e638667bc2ec7720cab459ecf1f698.tar.xz