Bug 466748: [SECURITY] Shared/saved searches can be deleted without user confirmation using predictable URL - Patch by FrÃ©dÃ©ric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit

author: lpsolit%gmail.com <> 2009-02-02 19:48:38 +0100
committer: lpsolit%gmail.com <> 2009-02-02 19:48:38 +0100
commit: 44341577cd209d8c61fe4129ea72785fc7be9ee5 (patch)
tree: 794b09b93c8bb68d00b72f23872048a519d7dcaf /template/en/default/list/list.html.tmpl
parent: 95c875a4f1b3c7f5dc7de573551f24e72718506b (diff)
download: bugzilla-44341577cd209d8c61fe4129ea72785fc7be9ee5.tar.gz
bugzilla-44341577cd209d8c61fe4129ea72785fc7be9ee5.tar.xz
1 files changed, 3 insertions, 2 deletions
diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl
index 4929c416d..a75f1340c 100644
--- a/template/en/default/list/list.html.tmpl
+++ b/template/en/default/list/list.html.tmpl
@@ -228,8 +228,9 @@
       <td valign="middle" nowrap="nowrap" class="bz_query_forget">
         |
         <a href="buglist.cgi?cmdtype=dorem&amp;remaction=forget&amp;namedcmd=
-                [% searchname FILTER url_quote %]">Forget&nbsp;Search&nbsp;'
-                [% searchname FILTER html %]'</a>
+                [% searchname FILTER url_quote %]&amp;token=
+                [% issue_hash_token([search_id, searchname]) FILTER url_quote %]">
+          Forget&nbsp;Search&nbsp;'[% searchname FILTER html %]'</a>
       </td>
     [% ELSE %]
       <td>&nbsp;</td>
author	lpsolit%gmail.com <>	2009-02-02 19:48:38 +0100
committer	lpsolit%gmail.com <>	2009-02-02 19:48:38 +0100
commit	44341577cd209d8c61fe4129ea72785fc7be9ee5 (patch)
tree	794b09b93c8bb68d00b72f23872048a519d7dcaf /template/en/default/list/list.html.tmpl
parent	95c875a4f1b3c7f5dc7de573551f24e72718506b (diff)
download	bugzilla-44341577cd209d8c61fe4129ea72785fc7be9ee5.tar.gz bugzilla-44341577cd209d8c61fe4129ea72785fc7be9ee5.tar.xz