summaryrefslogtreecommitdiffstats
path: root/template
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2012-08-06 23:44:33 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2012-08-06 23:44:33 +0200
commit2137f365677d836e3d3c55c81634d0f732fecdfe (patch)
tree6b54af2c845acd8588dbe41cfb84f347a69d8ee8 /template
parent94abbb03a8db4179bdd7fe5edccb077e8908d114 (diff)
downloadbugzilla-2137f365677d836e3d3c55c81634d0f732fecdfe.tar.gz
bugzilla-2137f365677d836e3d3c55c81634d0f732fecdfe.tar.xz
Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized password reset e-mail request
r=reed a=LpSolit
Diffstat (limited to 'template')
-rw-r--r--template/en/default/account/auth/login-small.html.tmpl7
-rw-r--r--template/en/default/account/auth/login.html.tmpl1
2 files changed, 5 insertions, 3 deletions
diff --git a/template/en/default/account/auth/login-small.html.tmpl b/template/en/default/account/auth/login-small.html.tmpl
index fbe40fb43..cb4335466 100644
--- a/template/en/default/account/auth/login-small.html.tmpl
+++ b/template/en/default/account/auth/login-small.html.tmpl
@@ -36,8 +36,8 @@
[% IF cgi.request_method == "GET" AND cgi.query_string %]
[% connector = "&" %]
[% END %]
- [% script_name = login_target _ connector _ "GoAheadAndLogIn=1" %]
- <a id="login_link[% qs_suffix %]" href="[% script_name FILTER html %]"
+ [% script_url = login_target _ connector _ "GoAheadAndLogIn=1" %]
+ <a id="login_link[% qs_suffix %]" href="[% script_url FILTER html %]"
onclick="return show_mini_login_form('[% qs_suffix %]')">Log In</a>
[% Hook.process('additional_methods') %]
@@ -114,7 +114,7 @@
</li>
<li id="forgot_container[% qs_suffix %]">
<span class="separator">| </span>
- <a id="forgot_link[% qs_suffix %]" href="[% script_name FILTER html %]#forgot"
+ <a id="forgot_link[% qs_suffix %]" href="[% script_url FILTER html %]#forgot"
onclick="return show_forgot_form('[% qs_suffix %]')">Forgot Password</a>
<form action="token.cgi" method="post" id="forgot_form[% qs_suffix %]"
class="mini_forgot bz_default_hidden">
@@ -123,6 +123,7 @@
<input id="forgot_button[% qs_suffix %]" value="Reset Password"
type="submit">
<input type="hidden" name="a" value="reqpw">
+ <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
<a href="#" onclick="return hide_forgot_form('[% qs_suffix %]')">[x]</a>
</form>
</li>
diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl
index 122ef6f7c..3de52b6a0 100644
--- a/template/en/default/account/auth/login.html.tmpl
+++ b/template/en/default/account/auth/login.html.tmpl
@@ -115,6 +115,7 @@
enter your login name below and submit a request
to change your password.<br>
<input size="35" name="loginname">
+ <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
<input type="submit" id="request" value="Reset Password">
</form>
[% END %]