summaryrefslogtreecommitdiffstats
path: root/template/en/default/bug
diff options
context:
space:
mode:
authorreed%reedloden.com <>2009-03-30 23:02:33 +0200
committerreed%reedloden.com <>2009-03-30 23:02:33 +0200
commitd9041c3f97422fb377c3e8d20129f4ef8517f833 (patch)
tree005886bc062295c4050a17c8c7b45331f9fd01fe /template/en/default/bug
parente0955c1603559bd8e0b63ccf0331fbde09412dcb (diff)
downloadbugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.gz
bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.xz
Bug 476603 - "[SECURITY] Editing attachments doesn't have any CSRF protection" [p=reed r=LpSolit a=LpSolit]
Diffstat (limited to 'template/en/default/bug')
-rw-r--r--template/en/default/bug/show.xml.tmpl10
1 files changed, 7 insertions, 3 deletions
diff --git a/template/en/default/bug/show.xml.tmpl b/template/en/default/bug/show.xml.tmpl
index 8fc6ddb3f..cd7f44eff 100644
--- a/template/en/default/bug/show.xml.tmpl
+++ b/template/en/default/bug/show.xml.tmpl
@@ -103,9 +103,13 @@
<type>[% a.contenttype FILTER xml %]</type>
<size>[% a.datasize FILTER xml %]</size>
<attacher>[% a.attacher.email FILTER email FILTER xml %]</attacher>
- [% IF displayfields.attachmentdata %]
- <data encoding="base64">[% a.data FILTER base64 %]</data>
- [% END %]
+ [%# This is here so automated clients can still use attachment.cgi %]
+ [% IF displayfields.token && user.id %]
+ <token>[% issue_hash_token([a.id, a.modification_time]) FILTER xml %]</token>
+ [% END %]
+ [% IF displayfields.attachmentdata %]
+ <data encoding="base64">[% a.data FILTER base64 %]</data>
+ [% END %]
[% FOREACH flag = a.flags %]
<flag name="[% flag.type.name FILTER xml %]"