Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized password reset e-mail request

r=reed a=LpSolit
author: Frédéric Buclin <LpSolit@gmail.com> 2012-08-06 23:44:33 +0200
committer: Frédéric Buclin <LpSolit@gmail.com> 2012-08-06 23:44:33 +0200
commit: 2137f365677d836e3d3c55c81634d0f732fecdfe (patch)
tree: 6b54af2c845acd8588dbe41cfb84f347a69d8ee8 /token.cgi
parent: 94abbb03a8db4179bdd7fe5edccb077e8908d114 (diff)
download: bugzilla-2137f365677d836e3d3c55c81634d0f732fecdfe.tar.gz
bugzilla-2137f365677d836e3d3c55c81634d0f732fecdfe.tar.xz
1 files changed, 5 insertions, 0 deletions
diff --git a/token.cgi b/token.cgi
index fa262e76a..20870159a 100755
--- a/token.cgi
+++ b/token.cgi
@@ -108,6 +108,11 @@ if ( $action eq 'reqpw' ) {
         ThrowUserError("password_change_requests_not_allowed");
     }
 
+    # Check the hash token to make sure this user actually submitted
+    # the forgotten password form.
+    my $token = $cgi->param('token');
+    check_hash_token($token, ['reqpw']);
+
     validate_email_syntax($login_name)
         || ThrowUserError('illegal_email_address', {addr => $login_name});
author	Frédéric Buclin <LpSolit@gmail.com>	2012-08-06 23:44:33 +0200
committer	Frédéric Buclin <LpSolit@gmail.com>	2012-08-06 23:44:33 +0200
commit	2137f365677d836e3d3c55c81634d0f732fecdfe (patch)
tree	6b54af2c845acd8588dbe41cfb84f347a69d8ee8 /token.cgi
parent	94abbb03a8db4179bdd7fe5edccb077e8908d114 (diff)
download	bugzilla-2137f365677d836e3d3c55c81634d0f732fecdfe.tar.gz bugzilla-2137f365677d836e3d3c55c81634d0f732fecdfe.tar.xz