From 038df43c5a3d51bd66772a7df7e6403eebe1b913 Mon Sep 17 00:00:00 2001 From: Reed Loden Date: Tue, 29 May 2012 08:22:31 -0700 Subject: Bug 754672 - CSRF vulnerability in buglist.cgi allows possible unauthorized setting of default search options [r=LpSolit a=LpSolit] --- buglist.cgi | 2 ++ template/en/default/search/knob.html.tmpl | 23 ++++++++++++++--------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/buglist.cgi b/buglist.cgi index f0e778464..f7498483a 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -434,6 +434,8 @@ if ($cmdtype eq "dorem") { elsif (($cmdtype eq "doit") && defined $cgi->param('remtype')) { if ($cgi->param('remtype') eq "asdefault") { $user = Bugzilla->login(LOGIN_REQUIRED); + my $token = $cgi->param('token'); + check_hash_token($token, ['searchknob']); InsertNamedQuery(DEFAULT_QUERY_NAME, $buffer); $vars->{'message'} = "buglist_new_default_query"; } diff --git a/template/en/default/search/knob.html.tmpl b/template/en/default/search/knob.html.tmpl index 723825a3c..e9e3daaf1 100644 --- a/template/en/default/search/knob.html.tmpl +++ b/template/en/default/search/knob.html.tmpl @@ -23,6 +23,9 @@ "Last Changed" => "Last Changed" } %] +[% IF user.id %] + +[% END %]

: @@ -39,7 +42,7 @@ [% IF known_name %] - [%# We store known_name in case the user add a boolean chart. %] + [%# We store known_name in case the user adds a boolean chart. %] [%# The name of the existing query will be passed to buglist.cgi. %] @@ -51,14 +54,16 @@ [% END %]

-

-     - - -

+[% IF user.id %] +

+     + + +

+[% END %] [% IF userdefaultquery %]

-- cgit v1.2.3-24-g4f1b