From d5d928102e575599296421f3334e9f8c82ae5292 Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Mon, 2 Feb 2009 19:21:09 +0000 Subject: Bug 472362: [SECURITY] Malicious attachments can change your user settings (user + email prefs, shared searches) - Patch by Frédéric Buclin r=wicked a=LpSolit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- template/en/default/account/prefs/prefs.html.tmpl | 1 + userprefs.cgi | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/template/en/default/account/prefs/prefs.html.tmpl b/template/en/default/account/prefs/prefs.html.tmpl index ed9cbce72..71e411d86 100644 --- a/template/en/default/account/prefs/prefs.html.tmpl +++ b/template/en/default/account/prefs/prefs.html.tmpl @@ -85,6 +85,7 @@ [% IF current_tab.saveable %]
+ [% END %] [% PROCESS "account/prefs/${current_tab.name}.html.tmpl" diff --git a/userprefs.cgi b/userprefs.cgi index 085372bac..cffae38cc 100755 --- a/userprefs.cgi +++ b/userprefs.cgi @@ -517,6 +517,9 @@ trick_taint($current_tab_name); $vars->{'current_tab_name'} = $current_tab_name; +my $token = $cgi->param('token'); +check_token_data($token, 'edit_user_prefs') if $cgi->param('dosave'); + # Do any saving, and then display the current tab. SWITCH: for ($current_tab_name) { /^account$/ && do { @@ -547,6 +550,11 @@ SWITCH: for ($current_tab_name) { { current_tab_name => $current_tab_name }); } +delete_token($token) if $cgi->param('dosave'); +if ($current_tab_name ne 'permissions') { + $vars->{'token'} = issue_session_token('edit_user_prefs'); +} + # Generate and return the UI (HTML page) from the appropriate template. print $cgi->header(); $template->process("account/prefs/prefs.html.tmpl", $vars) -- cgit v1.2.3-24-g4f1b