diff options
author | Dylan William Hardison <dylan@hardison.net> | 2018-03-20 15:06:20 +0100 |
---|---|---|
committer | Dylan William Hardison <dylan@hardison.net> | 2018-03-20 15:06:20 +0100 |
commit | 40023c4a9f7d949f623b3b6fa90c9cbf5dfc2351 (patch) | |
tree | 8b712354b3cc527db6c498d11a50cdbbc2a42837 /template/en | |
parent | 4cd99a91ff6a92a5e10449463b12a312060d01ba (diff) | |
download | bugzilla-40023c4a9f7d949f623b3b6fa90c9cbf5dfc2351.tar.gz bugzilla-40023c4a9f7d949f623b3b6fa90c9cbf5dfc2351.tar.xz |
Bug 1444008 - Form action injection in Bugzilla /user_profile (leads to XSS/single-factor credential leakage)
Diffstat (limited to 'template/en')
-rw-r--r-- | template/en/default/account/auth/login.html.tmpl | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl index 160fad43b..c11a6afc1 100644 --- a/template/en/default/account/auth/login.html.tmpl +++ b/template/en/default/account/auth/login.html.tmpl @@ -42,7 +42,7 @@ </p> <div id="login" class="login-form"> - <form name="login" action="[% target FILTER html %]" method="POST" + <form name="login" action="[% urlbase %][% target FILTER uri FILTER html %]" method="POST" [%- IF Bugzilla.cgi.param("data") %] enctype="multipart/form-data"[% END %]> <div class="field-login"> <label for="Bugzilla_login">Email Address:</label> |