From 6b9b50db744c603dbfa0c7ae5aac8dca4e58b0cd Mon Sep 17 00:00:00 2001 From: Reed Loden Date: Tue, 29 May 2012 08:23:18 -0700 Subject: Bug 754672 - CSRF vulnerability in buglist.cgi allows possible unauthorized setting of default search options [r=LpSolit a=LpSolit] --- buglist.cgi | 2 ++ template/en/default/search/knob.html.tmpl | 23 ++++++++++++++--------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/buglist.cgi b/buglist.cgi index d4ddfbd63..fcd268959 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -461,6 +461,8 @@ if ($cmdtype eq "dorem") { elsif (($cmdtype eq "doit") && defined $cgi->param('remtype')) { if ($cgi->param('remtype') eq "asdefault") { $user = Bugzilla->login(LOGIN_REQUIRED); + my $token = $cgi->param('token'); + check_hash_token($token, ['searchknob']); InsertNamedQuery(DEFAULT_QUERY_NAME, $buffer); $vars->{'message'} = "buglist_new_default_query"; } diff --git a/template/en/default/search/knob.html.tmpl b/template/en/default/search/knob.html.tmpl index a50f6bd32..e20822bf5 100644 --- a/template/en/default/search/knob.html.tmpl +++ b/template/en/default/search/knob.html.tmpl @@ -40,6 +40,9 @@ "Last Changed" => "Last Changed" } %] +[% IF user.id %] + +[% END %]

: @@ -56,7 +59,7 @@ [% IF known_name %] - [%# We store known_name in case the user add a boolean chart. %] + [%# We store known_name in case the user adds a boolean chart. %] [%# The name of the existing query will be passed to buglist.cgi. %] @@ -68,14 +71,16 @@ [% END %]

-

-     - - -

+[% IF user.id %] +

+     + + +

+[% END %] [% IF userdefaultquery %]

-- cgit v1.2.3-24-g4f1b