diff options
author | reed%reedloden.com <> | 2009-03-30 23:02:33 +0200 |
---|---|---|
committer | reed%reedloden.com <> | 2009-03-30 23:02:33 +0200 |
commit | d9041c3f97422fb377c3e8d20129f4ef8517f833 (patch) | |
tree | 005886bc062295c4050a17c8c7b45331f9fd01fe /template | |
parent | e0955c1603559bd8e0b63ccf0331fbde09412dcb (diff) | |
download | bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.gz bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.xz |
Bug 476603 - "[SECURITY] Editing attachments doesn't have any CSRF protection" [p=reed r=LpSolit a=LpSolit]
Diffstat (limited to 'template')
-rw-r--r-- | template/en/default/attachment/edit.html.tmpl | 3 | ||||
-rw-r--r-- | template/en/default/bug/show.xml.tmpl | 10 |
2 files changed, 10 insertions, 3 deletions
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl index f461e9e91..95c90871f 100644 --- a/template/en/default/attachment/edit.html.tmpl +++ b/template/en/default/attachment/edit.html.tmpl @@ -171,6 +171,9 @@ <input type="hidden" name="action" value="update"> <input type="hidden" name="contenttypemethod" value="manual"> <input type="hidden" name="delta_ts" value="[% attachment.modification_time FILTER html %]"> + [% IF user.id %] + <input type="hidden" name="token" value="[% issue_hash_token([attachment.id, attachment.modification_time]) FILTER html %]"> + [% END %] <table class="attachment_info" width="100%"> diff --git a/template/en/default/bug/show.xml.tmpl b/template/en/default/bug/show.xml.tmpl index 8fc6ddb3f..cd7f44eff 100644 --- a/template/en/default/bug/show.xml.tmpl +++ b/template/en/default/bug/show.xml.tmpl @@ -103,9 +103,13 @@ <type>[% a.contenttype FILTER xml %]</type> <size>[% a.datasize FILTER xml %]</size> <attacher>[% a.attacher.email FILTER email FILTER xml %]</attacher> - [% IF displayfields.attachmentdata %] - <data encoding="base64">[% a.data FILTER base64 %]</data> - [% END %] + [%# This is here so automated clients can still use attachment.cgi %] + [% IF displayfields.token && user.id %] + <token>[% issue_hash_token([a.id, a.modification_time]) FILTER xml %]</token> + [% END %] + [% IF displayfields.attachmentdata %] + <data encoding="base64">[% a.data FILTER base64 %]</data> + [% END %] [% FOREACH flag = a.flags %] <flag name="[% flag.type.name FILTER xml %]" |