summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--extensions/BMO/Extension.pm1
-rw-r--r--extensions/BMO/template/en/default/pages/query_database.html.tmpl1
2 files changed, 2 insertions, 0 deletions
diff --git a/extensions/BMO/Extension.pm b/extensions/BMO/Extension.pm
index a72f3d1be..75b8df456 100644
--- a/extensions/BMO/Extension.pm
+++ b/extensions/BMO/Extension.pm
@@ -2133,6 +2133,7 @@ sub query_database {
$vars->{query} = $query;
if ($query) {
+ check_hash_token($input->{token}, ['query_database']);
trick_taint($query);
$vars->{executed} = 1;
diff --git a/extensions/BMO/template/en/default/pages/query_database.html.tmpl b/extensions/BMO/template/en/default/pages/query_database.html.tmpl
index 97f5c0a25..79c5be1d8 100644
--- a/extensions/BMO/template/en/default/pages/query_database.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/query_database.html.tmpl
@@ -15,6 +15,7 @@
<input type="hidden" name="id" value="query_database.html">
<textarea cols="80" rows="10" name="query">[% query FILTER html %]</textarea><br>
<input type="submit" value="Execute">
+<input type="hidden" name="token" value="[% issue_hash_token(['query_database']) FILTER html %]">
</form>
[% IF executed %]
generated by cgit v1.2.3-24-g4f1b (git 2.32.0) at 2024-06-11 06:33:50 +0200