From aa94254a92a7d1c4f09275b5937c3eae7300dad6 Mon Sep 17 00:00:00 2001
From: David Lawrence <dlawrence@mozilla.com>
Date: Thu, 6 Jan 2011 23:02:28 -0500
Subject: Bug 621090 - [SECURITY] Adding saved searches lacks CSRF protection
 r/a=mkanat

---
 buglist.cgi                                          | 2 ++
 template/en/default/global/per-bug-queries.html.tmpl | 1 +
 template/en/default/list/list.html.tmpl              | 1 +
 3 files changed, 4 insertions(+)

diff --git a/buglist.cgi b/buglist.cgi
index bd285ebc0..ebce66532 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -504,6 +504,8 @@ elsif (($cmdtype eq "doit") && defined $cgi->param('remtype')) {
         my $query_name = $cgi->param('newqueryname');
         my $new_query = $cgi->param('newquery');
         my $query_type = QUERY_LIST;
+        my $token = $cgi->param('token');
+        check_hash_token($token, ['savedsearch']);
         # If list_of_bugs is true, we are adding/removing individual bugs
         # to a saved search. We get the existing list of bug IDs (if any)
         # and add/remove the passed ones.
diff --git a/template/en/default/global/per-bug-queries.html.tmpl b/template/en/default/global/per-bug-queries.html.tmpl
index 3c62e35f5..a7c073ba1 100644
--- a/template/en/default/global/per-bug-queries.html.tmpl
+++ b/template/en/default/global/per-bug-queries.html.tmpl
@@ -63,6 +63,7 @@
         <input type="hidden" name="cmdtype" value="doit">
         <input type="hidden" name="remtype" value="asnamed">
         <input type="hidden" name="list_of_bugs" value="1">
+        <input type="hidden" name="token" value="[% issue_hash_token(['savedsearch']) FILTER html %]">
         <select id="lob_action" name="action" onchange="update_text();">
           <option value="add">Add</option>
           [% IF lists_of_bugs.size %]
diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl
index 4ebc7194c..924ce23dc 100644
--- a/template/en/default/list/list.html.tmpl
+++ b/template/en/default/list/list.html.tmpl
@@ -253,6 +253,7 @@
                  value="[% urlquerypart FILTER html %][% "&order=$qorder" FILTER html IF order %]">
           <input type="hidden" name="cmdtype" value="doit">
           <input type="hidden" name="remtype" value="asnamed">
+          <input type="hidden" name="token" value="[% issue_hash_token(['savedsearch']) FILTER html %]">
           <input type="text" id="save_newqueryname" name="newqueryname" size="20"
                  value="[% defaultsavename FILTER html %]"> 
         </form> 
-- 
cgit v1.2.3-24-g4f1b