1 files changed, 17 insertions, 1 deletions

diff --git a/extensions/BMO/Extension.pm b/extensions/BMO/Extension.pm
index 8d7301f8b..34af43892 100644
--- a/extensions/BMO/Extension.pm
+++ b/extensions/BMO/Extension.pm
@@ -2258,9 +2258,11 @@ sub forced_format {
 
 sub query_database {
     my ($vars) = @_;
+    my $cgi      = Bugzilla->cgi;
+    my $user     = Bugzilla->user;
+    my $template = Bugzilla->template;
 
     # validate group membership
-    my $user = Bugzilla->user;
     $user->in_group('query_database')
         || ThrowUserError('auth_failure', { group  => 'query_database',
                                             action => 'access',
@@ -2272,6 +2274,12 @@ sub query_database {
     $vars->{query} = $query;
 
     if ($query) {
+        # Only allow POST requests
+        if ($cgi->request_method ne 'POST') {
+            ThrowCodeError('illegal_request_method',
+                           { method => $cgi->request_method, accepted => ['POST'] });
+        }
+
         check_hash_token($input->{token}, ['query_database']);
         trick_taint($query);
         $vars->{executed} = 1;
@@ -2308,6 +2316,14 @@ sub query_database {
         # return results
         $vars->{columns} = $columns;
         $vars->{rows} = $rows;
+
+        if ($input->{csv}) {
+            print $cgi->header(-type=> 'text/csv',
+                               -content_disposition=> "attachment; filename=\"query_database.csv\"");
+            $template->process("pages/query_database.csv.tmpl", $vars)
+                || ThrowTemplateError($template->error());
+            exit;
+        }
     }
 }