diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2011-01-24 18:23:39 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2011-01-24 18:23:39 +0100 |
commit | fee4dfba5bce719769ee2733a0e7b824aaf298d6 (patch) | |
tree | 2ff0b5859ab1f8b1b1d3406377cbe7f19093c961 /template | |
parent | 10b4a9266d92269fd48d12d1a6de983858ea9b74 (diff) | |
download | bugzilla-fee4dfba5bce719769ee2733a0e7b824aaf298d6.tar.gz bugzilla-fee4dfba5bce719769ee2733a0e7b824aaf298d6.tar.xz |
Bug 621110: [SECURITY] Quips (adding/approving/deleting) lacks CSRF protection
r=dkl a=LpSolit
Diffstat (limited to 'template')
-rw-r--r-- | template/en/default/list/quips.html.tmpl | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/template/en/default/list/quips.html.tmpl b/template/en/default/list/quips.html.tmpl index 1870ffcf2..62395d27f 100644 --- a/template/en/default/list/quips.html.tmpl +++ b/template/en/default/list/quips.html.tmpl @@ -73,6 +73,8 @@ <form method="post" action="quips.cgi"> <input type="hidden" name="action" value="add"> + <input type="hidden" name="token" + value="[% issue_hash_token(['create-quips']) FILTER html %]"> <input size="80" name="quip"> <p> <input type="submit" id="add" value="Add This Quip"> @@ -103,6 +105,8 @@ </p> <form name="editform" method="post" action="quips.cgi"> <input type="hidden" name="action" value="approve"> + <input type="hidden" name="token" + value="[% issue_hash_token(['approve-quips']) FILTER html %]"> <table border="1"> <thead><tr> <th>Quip</th> @@ -119,7 +123,8 @@ [% "Unknown" IF NOT users.$userid %] </td> <td> - <a href="quips.cgi?action=delete&quipid=[% quipid FILTER uri %]"> + <a href="quips.cgi?action=delete&quipid=[% quipid FILTER uri %]&token= + [%- issue_hash_token(['quips', quipid]) FILTER uri %]"> Delete </a> </td> |