From a6aa75fc6f96527f01e8b4f0da414d9fa8ad8ce1 Mon Sep 17 00:00:00 2001 From: Reed Loden Date: Tue, 13 Dec 2011 14:30:07 -0800 Subject: Bug 705474 - CSRF vulnerability in createaccount.cgi allows possible unauthorized account creation e-mail request [r=mkanat a=mkanat] --- createaccount.cgi | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'createaccount.cgi') diff --git a/createaccount.cgi b/createaccount.cgi index db0727add..2348d4e91 100755 --- a/createaccount.cgi +++ b/createaccount.cgi @@ -62,6 +62,11 @@ unless ($createexp) { my $login = $cgi->param('login'); if (defined($login)) { + # Check the hash token to make sure this user actually submitted + # the create account form. + my $token = $cgi->param('token'); + check_hash_token($token, ['create_account']); + $login = Bugzilla::User->check_login_name_for_creation($login); $vars->{'login'} = $login; -- cgit v1.2.3-24-g4f1b