Bug 1090427: Backport bug 713926 to bmo/4.2 to protect against csrf for login forms

author: David Lawrence <dkl@mozilla.com> 2014-11-04 04:11:09 +0100
committer: Byron Jones <glob@mozilla.com> 2014-11-04 04:11:09 +0100
commit: 4e1941fedbe46bafce9aded3a0a38d272fec37a2 (patch)
tree: 633351ada50932ec6b747705b95e0bd04e39f05e /template/en/default/admin
parent: d6ee5ade172abe24389aca15eba9fe922b5697c7 (diff)
download: bugzilla-4e1941fedbe46bafce9aded3a0a38d272fec37a2.tar.gz
bugzilla-4e1941fedbe46bafce9aded3a0a38d272fec37a2.tar.xz
1 files changed, 3 insertions, 2 deletions
diff --git a/template/en/default/admin/sudo.html.tmpl b/template/en/default/admin/sudo.html.tmpl
index 676959c34..beb7ba510 100644
--- a/template/en/default/admin/sudo.html.tmpl
+++ b/template/en/default/admin/sudo.html.tmpl
@@ -81,9 +81,10 @@
     <p>
       Finally, enter <label for="Bugzilla_password">your [% terms.Bugzilla %]
       password</label>:
-      <input type="hidden" name="Bugzilla_login" value="
-      [%- user.login FILTER html %]">
+      <input type="hidden" name="Bugzilla_login" value="[% user.login FILTER html %]">
       <input type="password" id="Bugzilla_password" name="Bugzilla_password" size="20">
+      <input type="hidden" name="Bugzilla_login_token"
+             value="[% login_request_token FILTER html %]">
       <br>
       This is done for two reasons.  First of all, it is done to reduce 
       the chances of someone doing large amounts of damage using your
author	David Lawrence <dkl@mozilla.com>	2014-11-04 04:11:09 +0100
committer	Byron Jones <glob@mozilla.com>	2014-11-04 04:11:09 +0100
commit	4e1941fedbe46bafce9aded3a0a38d272fec37a2 (patch)
tree	633351ada50932ec6b747705b95e0bd04e39f05e /template/en/default/admin
parent	d6ee5ade172abe24389aca15eba9fe922b5697c7 (diff)
download	bugzilla-4e1941fedbe46bafce9aded3a0a38d272fec37a2.tar.gz bugzilla-4e1941fedbe46bafce9aded3a0a38d272fec37a2.tar.xz