summaryrefslogtreecommitdiffstats
path: root/template/en/default
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2011-01-24 18:23:39 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2011-01-24 18:23:39 +0100
commitfee4dfba5bce719769ee2733a0e7b824aaf298d6 (patch)
tree2ff0b5859ab1f8b1b1d3406377cbe7f19093c961 /template/en/default
parent10b4a9266d92269fd48d12d1a6de983858ea9b74 (diff)
downloadbugzilla-fee4dfba5bce719769ee2733a0e7b824aaf298d6.tar.gz
bugzilla-fee4dfba5bce719769ee2733a0e7b824aaf298d6.tar.xz
Bug 621110: [SECURITY] Quips (adding/approving/deleting) lacks CSRF protection
r=dkl a=LpSolit
Diffstat (limited to 'template/en/default')
-rw-r--r--template/en/default/list/quips.html.tmpl7
1 files changed, 6 insertions, 1 deletions
diff --git a/template/en/default/list/quips.html.tmpl b/template/en/default/list/quips.html.tmpl
index 1870ffcf2..62395d27f 100644
--- a/template/en/default/list/quips.html.tmpl
+++ b/template/en/default/list/quips.html.tmpl
@@ -73,6 +73,8 @@
<form method="post" action="quips.cgi">
<input type="hidden" name="action" value="add">
+ <input type="hidden" name="token"
+ value="[% issue_hash_token(['create-quips']) FILTER html %]">
<input size="80" name="quip">
<p>
<input type="submit" id="add" value="Add This Quip">
@@ -103,6 +105,8 @@
</p>
<form name="editform" method="post" action="quips.cgi">
<input type="hidden" name="action" value="approve">
+ <input type="hidden" name="token"
+ value="[% issue_hash_token(['approve-quips']) FILTER html %]">
<table border="1">
<thead><tr>
<th>Quip</th>
@@ -119,7 +123,8 @@
[% "Unknown" IF NOT users.$userid %]
</td>
<td>
- <a href="quips.cgi?action=delete&amp;quipid=[% quipid FILTER uri %]">
+ <a href="quips.cgi?action=delete&amp;quipid=[% quipid FILTER uri %]&amp;token=
+ [%- issue_hash_token(['quips', quipid]) FILTER uri %]">
Delete
</a>
</td>