Bug 713926: (CVE-2014-1517) [SECURITY] Login form lacks CSRF protection

r=dkl a=justdave
author: Frédéric Buclin <LpSolit@gmail.com> 2014-04-17 18:11:12 +0200
committer: Frédéric Buclin <LpSolit@gmail.com> 2014-04-17 18:11:12 +0200
commit: 0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 (patch)
tree: 5e3a8751012a0c99769129494d1863a3a9ca5d9f /template/en/default/global/user-error.html.tmpl
parent: b639a1a7f4ed58f8d30058509444e44be3095f53 (diff)
download: bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.gz
bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.xz
1 files changed, 9 insertions, 0 deletions
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 11d4f8ad1..0b5d66764 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -219,6 +219,15 @@
 
     [% Hook.process("auth_failure") %]
 
+  [% ELSIF error == "auth_untrusted_request" %]
+    [% title = "Untrusted Authentication Request" %]
+    You tried to log in using the <em>[% login FILTER html %]</em> account,
+    but [% terms.Bugzilla %] is unable to trust your request. Make sure
+    your web browser accepts cookies and that you haven't been redirected
+    here from an external web site.
+    <a href="index.cgi?GoAheadAndLogIn=1">Click here</a> if you really want
+    to log in.
+
   [% ELSIF error == "attachment_deletion_disabled" %]
     [% title = "Attachment Deletion Disabled" %]
     Attachment deletion is disabled on this installation.
author	Frédéric Buclin <LpSolit@gmail.com>	2014-04-17 18:11:12 +0200
committer	Frédéric Buclin <LpSolit@gmail.com>	2014-04-17 18:11:12 +0200
commit	0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 (patch)
tree	5e3a8751012a0c99769129494d1863a3a9ca5d9f /template/en/default/global/user-error.html.tmpl
parent	b639a1a7f4ed58f8d30058509444e44be3095f53 (diff)
download	bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.gz bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.xz