diff options
author | Reed Loden <reed@reedloden.com> | 2012-05-29 17:23:18 +0200 |
---|---|---|
committer | Reed Loden <reed@reedloden.com> | 2012-05-29 17:23:18 +0200 |
commit | 6b9b50db744c603dbfa0c7ae5aac8dca4e58b0cd (patch) | |
tree | 4d43b6272f1889ad125b93539a2b5420c5d3202c /template/en | |
parent | 3004a5e322c3a95c7e51978b917f1547c382bac9 (diff) | |
download | bugzilla-6b9b50db744c603dbfa0c7ae5aac8dca4e58b0cd.tar.gz bugzilla-6b9b50db744c603dbfa0c7ae5aac8dca4e58b0cd.tar.xz |
Bug 754672 - CSRF vulnerability in buglist.cgi allows possible unauthorized setting of default search options
[r=LpSolit a=LpSolit]
Diffstat (limited to 'template/en')
-rw-r--r-- | template/en/default/search/knob.html.tmpl | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/template/en/default/search/knob.html.tmpl b/template/en/default/search/knob.html.tmpl index a50f6bd32..e20822bf5 100644 --- a/template/en/default/search/knob.html.tmpl +++ b/template/en/default/search/knob.html.tmpl @@ -40,6 +40,9 @@ "Last Changed" => "Last Changed" } %] <input type="hidden" name="cmdtype" value="doit"> +[% IF user.id %] + <input type="hidden" name="token" value="[% issue_hash_token(['searchknob']) FILTER html %]"> +[% END %] <p> <label for="order">Sort results by</label>: @@ -56,7 +59,7 @@ <input type="submit" id="[% button_name FILTER html %]" value="[% button_name FILTER html %]"> [% IF known_name %] - [%# We store known_name in case the user add a boolean chart. %] + [%# We store known_name in case the user adds a boolean chart. %] <input type="hidden" name="known_name" value="[% known_name FILTER html %]"> [%# The name of the existing query will be passed to buglist.cgi. %] @@ -68,14 +71,16 @@ [% END %] </p> -<p> - - <input type="checkbox" id="remasdefault" - name="remtype" value="asdefault"> - <label for="remasdefault"> - and remember these as my default search options - </label> -</p> +[% IF user.id %] + <p> + + <input type="checkbox" id="remasdefault" + name="remtype" value="asdefault"> + <label for="remasdefault"> + and remember these as my default search options + </label> + </p> +[% END %] [% IF userdefaultquery %] <p> |