From 721dfc64e95140c48726738770cd22b71ac36702 Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Sat, 22 Jan 2011 18:15:42 +0100
Subject: Bug 621109: Column changing lacks CSRF protection r=dkl a=mkanat

---
 colchange.cgi | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

(limited to 'colchange.cgi')

diff --git a/colchange.cgi b/colchange.cgi
index 0bd3af481..844f7615c 100755
--- a/colchange.cgi
+++ b/colchange.cgi
@@ -33,6 +33,7 @@ use Bugzilla::CGI;
 use Bugzilla::Search::Saved;
 use Bugzilla::Error;
 use Bugzilla::User;
+use Bugzilla::Token;
 
 use Storable qw(dclone);
 
@@ -86,6 +87,19 @@ $vars->{'columns'} = $columns;
 
 my @collist;
 if (defined $cgi->param('rememberedquery')) {
+    my $search;
+    if (defined $cgi->param('saved_search')) {
+        $search = new Bugzilla::Search::Saved($cgi->param('saved_search'));
+    }
+
+    my $token = $cgi->param('token');
+    if ($search) {
+        check_hash_token($token, [$search->id, $search->name]);
+    }
+    else {
+        check_hash_token($token, ['default-list']);
+    }
+
     my $splitheader = 0;
     if (defined $cgi->param('resetit')) {
         @collist = DEFAULT_COLUMN_LIST;
@@ -123,11 +137,6 @@ if (defined $cgi->param('rememberedquery')) {
 
     $vars->{'message'} = "change_columns";
 
-    my $search;
-    if (defined $cgi->param('saved_search')) {
-        $search = new Bugzilla::Search::Saved($cgi->param('saved_search'));
-    }
-
     if ($cgi->param('save_columns_for_search')
         && defined $search && $search->user->id == Bugzilla->user->id) 
     {
-- 
cgit v1.2.3-24-g4f1b