summaryrefslogtreecommitdiffstats
path: root/template/en/default/search
diff options
context:
space:
mode:
authorReed Loden <reed@reedloden.com>2012-05-29 17:22:31 +0200
committerReed Loden <reed@reedloden.com>2012-05-29 17:22:31 +0200
commit038df43c5a3d51bd66772a7df7e6403eebe1b913 (patch)
treeb9448e83097d8621f9552a883c213e7e99e4ea05 /template/en/default/search
parent9245e5ca7bab659a00bf301f3db22b8d9608f92b (diff)
downloadbugzilla-038df43c5a3d51bd66772a7df7e6403eebe1b913.tar.gz
bugzilla-038df43c5a3d51bd66772a7df7e6403eebe1b913.tar.xz
Bug 754672 - CSRF vulnerability in buglist.cgi allows possible unauthorized setting of default search options
[r=LpSolit a=LpSolit]
Diffstat (limited to 'template/en/default/search')
-rw-r--r--template/en/default/search/knob.html.tmpl23
1 files changed, 14 insertions, 9 deletions
diff --git a/template/en/default/search/knob.html.tmpl b/template/en/default/search/knob.html.tmpl
index 723825a3c..e9e3daaf1 100644
--- a/template/en/default/search/knob.html.tmpl
+++ b/template/en/default/search/knob.html.tmpl
@@ -23,6 +23,9 @@
"Last Changed" => "Last Changed" } %]
<input type="hidden" name="cmdtype" value="doit">
+[% IF user.id %]
+ <input type="hidden" name="token" value="[% issue_hash_token(['searchknob']) FILTER html %]">
+[% END %]
<p>
<label for="order">Sort results by</label>:
@@ -39,7 +42,7 @@
<input type="submit" id="[% button_name FILTER html %]"
value="[% button_name FILTER html %]">
[% IF known_name %]
- [%# We store known_name in case the user add a boolean chart. %]
+ [%# We store known_name in case the user adds a boolean chart. %]
<input type="hidden" name="known_name" value="[% known_name FILTER html %]">
[%# The name of the existing query will be passed to buglist.cgi. %]
@@ -51,14 +54,16 @@
[% END %]
</p>
-<p>
- &nbsp;&nbsp;&nbsp;
- <input type="checkbox" id="remasdefault"
- name="remtype" value="asdefault">
- <label for="remasdefault">
- and remember these as my default search options
- </label>
-</p>
+[% IF user.id %]
+ <p>
+ &nbsp;&nbsp;&nbsp;
+ <input type="checkbox" id="remasdefault"
+ name="remtype" value="asdefault">
+ <label for="remasdefault">
+ and remember these as my default search options
+ </label>
+ </p>
+[% END %]
[% IF userdefaultquery %]
<p>