diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2014-04-17 18:11:12 +0200 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2014-04-17 18:11:12 +0200 |
| commit | 0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 (patch) | |
| tree | 5e3a8751012a0c99769129494d1863a3a9ca5d9f /template/en/default/admin | |
| parent | b639a1a7f4ed58f8d30058509444e44be3095f53 (diff) | |
| download | bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.gz bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.xz | |
Bug 713926: (CVE-2014-1517) [SECURITY] Login form lacks CSRF protection
r=dkl a=justdave
Diffstat (limited to 'template/en/default/admin')
| -rw-r--r-- | template/en/default/admin/sudo.html.tmpl | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/template/en/default/admin/sudo.html.tmpl b/template/en/default/admin/sudo.html.tmpl index d4faf4ea7..bf0cd7b6f 100644 --- a/template/en/default/admin/sudo.html.tmpl +++ b/template/en/default/admin/sudo.html.tmpl @@ -68,9 +68,10 @@ <p> Finally, enter <label for="Bugzilla_password">your [% terms.Bugzilla %] password</label>: - <input type="hidden" name="Bugzilla_login" value=" - [%- user.login FILTER html %]"> + <input type="hidden" name="Bugzilla_login" value="[% user.login FILTER html %]"> <input type="password" id="Bugzilla_password" name="Bugzilla_password" size="20" required> + <input type="hidden" name="Bugzilla_login_token" + value="[% login_request_token FILTER html %]"> <br> This is done for two reasons. First of all, it is done to reduce the chances of someone doing large amounts of damage using your |