diff options
| author | David Lawrence <dkl@mozilla.com> | 2015-04-24 17:56:26 +0200 |
|---|---|---|
| committer | David Lawrence <dkl@mozilla.com> | 2015-04-24 17:56:26 +0200 |
| commit | 283be21f66e638667bc2ec7720cab459ecf1f698 (patch) | |
| tree | cdbfbb79d503373bb2058a96f369cf75542dbe3b /template | |
| parent | ed92da4fed393bb0f645f7bad022d49fed336a2f (diff) | |
| download | bugzilla-283be21f66e638667bc2ec7720cab459ecf1f698.tar.gz bugzilla-283be21f66e638667bc2ec7720cab459ecf1f698.tar.xz | |
Bug 1157395: CSRF in log in form
Diffstat (limited to 'template')
4 files changed, 18 insertions, 4 deletions
diff --git a/template/en/default/account/auth/login-small.html.tmpl b/template/en/default/account/auth/login-small.html.tmpl index 220eb5f21..111aca0dd 100644 --- a/template/en/default/account/auth/login-small.html.tmpl +++ b/template/en/default/account/auth/login-small.html.tmpl @@ -72,7 +72,9 @@ [%+ "checked" IF Param('rememberlogin') == "defaulton" %]> <label for="Bugzilla_remember[% qs_suffix %]">Remember</label> [% END %] - <input type="submit" name="GoAheadAndLogIn" value="Log in" + <input type="hidden" name="Bugzilla_login_token" + value="[% get_login_request_token() FILTER html %]"> + <input type="submit" name="GoAheadAndLogIn" value="Log in" id="log_in[% qs_suffix %]"> <a href="#" id="hide_mini_login[% qs_suffix FILTER html %]" onclick="return hide_mini_login_form('[% qs_suffix %]')">[x]</a> diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl index dac24bcdc..922a55bd4 100644 --- a/template/en/default/account/auth/login.html.tmpl +++ b/template/en/default/account/auth/login.html.tmpl @@ -84,8 +84,10 @@ [% PROCESS "global/hidden-fields.html.tmpl" exclude="^Bugzilla_(login|password|restrictlogin)$" %] + <input type="hidden" name="Bugzilla_login_token" + value="[% get_login_request_token() FILTER html %]"> <input type="submit" name="GoAheadAndLogIn" value="Log in" id="log_in"> - + <p> (Note: you should make sure cookies are enabled for this site. Otherwise, you will be required to log in frequently.) diff --git a/template/en/default/admin/sudo.html.tmpl b/template/en/default/admin/sudo.html.tmpl index c96a68ec1..9c0605567 100644 --- a/template/en/default/admin/sudo.html.tmpl +++ b/template/en/default/admin/sudo.html.tmpl @@ -82,9 +82,10 @@ <p> Finally, enter <label for="Bugzilla_password">your [% terms.Bugzilla %] password</label>: - <input type="hidden" name="Bugzilla_login" value=" - [%- user.login FILTER html %]"> + <input type="hidden" name="Bugzilla_login" value="[% user.login FILTER html %]"> <input type="password" id="Bugzilla_password" name="Bugzilla_password" size="20"> + <input type="hidden" name="Bugzilla_login_token" + value="[% login_request_token FILTER html %]"> <br> This is done for two reasons. First of all, it is done to reduce the chances of someone doing large amounts of damage using your diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index 250ab0e1d..5e83eef14 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -244,6 +244,15 @@ [% Hook.process("auth_failure") %] + [% ELSIF error == "auth_untrusted_request" %] + [% title = "Untrusted Authentication Request" %] + You tried to log in using the <em>[% login FILTER html %]</em> account, + but [% terms.Bugzilla %] is unable to trust your request. Make sure + your web browser accepts cookies and that you haven't been redirected + here from an external web site. + <a href="index.cgi?GoAheadAndLogIn=1">Click here</a> if you really want + to log in. + [% ELSIF error == "auth_invalid_token" %] [% title = 'A token error occurred' %] The token is not valid. It could be because you loaded this page more than |