Bug 476603 - "[SECURITY] Editing attachments doesn't have any CSRF protection" [p=reed r=LpSolit a=LpSolit]

author: reed%reedloden.com <> 2009-03-30 23:02:33 +0200
committer: reed%reedloden.com <> 2009-03-30 23:02:33 +0200
commit: d9041c3f97422fb377c3e8d20129f4ef8517f833 (patch)
tree: 005886bc062295c4050a17c8c7b45331f9fd01fe /template/en/default/attachment
parent: e0955c1603559bd8e0b63ccf0331fbde09412dcb (diff)
download: bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.gz
bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index f461e9e91..95c90871f 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -171,6 +171,9 @@
   <input type="hidden" name="action" value="update">
   <input type="hidden" name="contenttypemethod" value="manual">
   <input type="hidden" name="delta_ts" value="[% attachment.modification_time FILTER html %]">
+  [% IF user.id %]
+    <input type="hidden" name="token" value="[% issue_hash_token([attachment.id, attachment.modification_time]) FILTER html %]">
+  [% END %]
 
   <table class="attachment_info" width="100%">
author	reed%reedloden.com <>	2009-03-30 23:02:33 +0200
committer	reed%reedloden.com <>	2009-03-30 23:02:33 +0200
commit	d9041c3f97422fb377c3e8d20129f4ef8517f833 (patch)
tree	005886bc062295c4050a17c8c7b45331f9fd01fe /template/en/default/attachment
parent	e0955c1603559bd8e0b63ccf0331fbde09412dcb (diff)
download	bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.gz bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.xz