From aefdf269ff52f02c16a350329f485c041479507e Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Mon, 6 Aug 2012 23:41:47 +0200 Subject: Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized password reset e-mail request r=reed a=LpSolit --- template/en/default/account/auth/login-small.html.tmpl | 7 ++++--- template/en/default/account/auth/login.html.tmpl | 1 + token.cgi | 5 +++++ 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/template/en/default/account/auth/login-small.html.tmpl b/template/en/default/account/auth/login-small.html.tmpl index c922e94ac..19269ea49 100644 --- a/template/en/default/account/auth/login-small.html.tmpl +++ b/template/en/default/account/auth/login-small.html.tmpl @@ -20,8 +20,8 @@ [% IF cgi.request_method == "GET" AND cgi.query_string %] [% connector = "&" %] [% END %] - [% script_name = login_target _ connector _ "GoAheadAndLogIn=1" %] - Log In [% Hook.process('additional_methods') %] @@ -98,7 +98,7 @@
  • | - Forgot Password
    @@ -107,6 +107,7 @@ + [x]
    • diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl index d0a0ef871..0a8a3d3b8 100644 --- a/template/en/default/account/auth/login.html.tmpl +++ b/template/en/default/account/auth/login.html.tmpl @@ -108,6 +108,7 @@ enter your login name below and submit a request to change your password.
    + [% END %] diff --git a/token.cgi b/token.cgi index d5ebad78d..62f1f5121 100755 --- a/token.cgi +++ b/token.cgi @@ -114,6 +114,11 @@ sub requestChangePassword { Bugzilla->user->authorizer->can_change_password || ThrowUserError("password_change_requests_not_allowed"); + # Check the hash token to make sure this user actually submitted + # the forgotten password form. + my $token = $cgi->param('token'); + check_hash_token($token, ['reqpw']); + my $login_name = $cgi->param('loginname') or ThrowUserError("login_needed_for_password_change"); -- cgit v1.2.3-24-g4f1b