diff options
author | David Lawrence <dlawrence@mozilla.com> | 2011-01-07 05:02:28 +0100 |
---|---|---|
committer | David Lawrence <dlawrence@mozilla.com> | 2011-01-07 05:02:28 +0100 |
commit | aa94254a92a7d1c4f09275b5937c3eae7300dad6 (patch) | |
tree | 64bbd301a0251b2f89d0d16ca80958f3357ba512 /template/en/default | |
parent | 8cea190794a75022d3d95932b5895a21afb0b298 (diff) | |
download | bugzilla-aa94254a92a7d1c4f09275b5937c3eae7300dad6.tar.gz bugzilla-aa94254a92a7d1c4f09275b5937c3eae7300dad6.tar.xz |
Bug 621090 - [SECURITY] Adding saved searches lacks CSRF protection
r/a=mkanat
Diffstat (limited to 'template/en/default')
-rw-r--r-- | template/en/default/global/per-bug-queries.html.tmpl | 1 | ||||
-rw-r--r-- | template/en/default/list/list.html.tmpl | 1 |
2 files changed, 2 insertions, 0 deletions
diff --git a/template/en/default/global/per-bug-queries.html.tmpl b/template/en/default/global/per-bug-queries.html.tmpl index 3c62e35f5..a7c073ba1 100644 --- a/template/en/default/global/per-bug-queries.html.tmpl +++ b/template/en/default/global/per-bug-queries.html.tmpl @@ -63,6 +63,7 @@ <input type="hidden" name="cmdtype" value="doit"> <input type="hidden" name="remtype" value="asnamed"> <input type="hidden" name="list_of_bugs" value="1"> + <input type="hidden" name="token" value="[% issue_hash_token(['savedsearch']) FILTER html %]"> <select id="lob_action" name="action" onchange="update_text();"> <option value="add">Add</option> [% IF lists_of_bugs.size %] diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl index 4ebc7194c..924ce23dc 100644 --- a/template/en/default/list/list.html.tmpl +++ b/template/en/default/list/list.html.tmpl @@ -253,6 +253,7 @@ value="[% urlquerypart FILTER html %][% "&order=$qorder" FILTER html IF order %]"> <input type="hidden" name="cmdtype" value="doit"> <input type="hidden" name="remtype" value="asnamed"> + <input type="hidden" name="token" value="[% issue_hash_token(['savedsearch']) FILTER html %]"> <input type="text" id="save_newqueryname" name="newqueryname" size="20" value="[% defaultsavename FILTER html %]"> </form> |