From 93815fc7619567cc962e053280c5ed0b19492feb Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Sun, 15 Oct 2006 05:02:09 +0000
Subject: Bug 281181: [SECURITY] It's way too easy to delete
 versions/components/milestones etc... - Patch by Frédéric Buclin
 <LpSolit@gmail.com> r=mkanat a=myk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 editflagtypes.cgi | 38 +++++++++++++++++++++++++++++---------
 1 file changed, 29 insertions(+), 9 deletions(-)

(limited to 'editflagtypes.cgi')

diff --git a/editflagtypes.cgi b/editflagtypes.cgi
index 2c03c4f1f..6e001a525 100755
--- a/editflagtypes.cgi
+++ b/editflagtypes.cgi
@@ -41,6 +41,7 @@ use Bugzilla::Product;
 use Bugzilla::Component;
 use Bugzilla::Bug;
 use Bugzilla::Attachment;
+use Bugzilla::Token;
 
 local our $cgi = Bugzilla->cgi;
 local our $template = Bugzilla->template;
@@ -63,11 +64,12 @@ $user->in_group('editcomponents')
 
 # Determine whether to use the action specified by the user or the default.
 my $action = $cgi->param('action') || 'list';
+my $token  = $cgi->param('token');
 my @categoryActions;
 
 if (@categoryActions = grep(/^categoryAction-.+/, $cgi->param())) {
     $categoryActions[0] =~ s/^categoryAction-//;
-    processCategoryChange($categoryActions[0]);
+    processCategoryChange($categoryActions[0], $token);
     exit;
 }
 
@@ -75,11 +77,11 @@ if    ($action eq 'list')           { list();           }
 elsif ($action eq 'enter')          { edit($action);    }
 elsif ($action eq 'copy')           { edit($action);    }
 elsif ($action eq 'edit')           { edit($action);    }
-elsif ($action eq 'insert')         { insert();         }
-elsif ($action eq 'update')         { update();         }
+elsif ($action eq 'insert')         { insert($token);   }
+elsif ($action eq 'update')         { update($token);   }
 elsif ($action eq 'confirmdelete')  { confirmDelete();  } 
-elsif ($action eq 'delete')         { deleteType();     }
-elsif ($action eq 'deactivate')     { deactivate();     }
+elsif ($action eq 'delete')         { deleteType(undef, $token); }
+elsif ($action eq 'deactivate')     { deactivate($token); }
 else { 
     ThrowCodeError("action_unrecognized", { action => $action });
 }
@@ -167,9 +169,11 @@ sub edit {
     $vars->{'last_action'} = $cgi->param('action');
     if ($cgi->param('action') eq 'enter' || $cgi->param('action') eq 'copy') {
         $vars->{'action'} = "insert";
+        $vars->{'token'} = issue_session_token('add_flagtype');
     }
     else { 
         $vars->{'action'} = "update";
+        $vars->{'token'} = issue_session_token('edit_flagtype');
     }
 
     # If copying or editing an existing flag type, retrieve it.
@@ -197,7 +201,7 @@ sub edit {
 }
 
 sub processCategoryChange {
-    my $categoryAction = shift;
+    my ($categoryAction, $token) = @_;
     validateIsActive();
     validateIsRequestable();
     validateIsRequesteeble();
@@ -252,7 +256,8 @@ sub processCategoryChange {
     $type->{'inclusions'} = \%inclusions;
     $type->{'exclusions'} = \%exclusions;
     $vars->{'type'} = $type;
-    
+    $vars->{'token'} = $token;
+
     # Return the appropriate HTTP response headers.
     print $cgi->header();
 
@@ -287,6 +292,8 @@ sub clusion_array_to_hash {
 }
 
 sub insert {
+    my $token = shift;
+    check_token_data($token, 'add_flagtype');
     my $name = validateName();
     my $description = validateDescription();
     my $cc_list = validateCCList();
@@ -329,6 +336,7 @@ sub insert {
 
     $vars->{'name'} = $cgi->param('name');
     $vars->{'message'} = "flag_type_created";
+    delete_token($token);
 
     # Return the appropriate HTTP response headers.
     print $cgi->header();
@@ -340,6 +348,8 @@ sub insert {
 
 
 sub update {
+    my $token = shift;
+    check_token_data($token, 'edit_flagtype');
     my $flag_type = validateID();
     my $id = $flag_type->id;
     my $name = validateName();
@@ -426,6 +436,7 @@ sub update {
 
     $vars->{'name'} = $cgi->param('name');
     $vars->{'message'} = "flag_type_changes_saved";
+    delete_token($token);
 
     # Return the appropriate HTTP response headers.
     print $cgi->header();
@@ -441,7 +452,7 @@ sub confirmDelete {
 
   if ($flag_type->flag_count) {
     $vars->{'flag_type'} = $flag_type;
-
+    $vars->{'token'} = issue_session_token('delete_flagtype');
     # Return the appropriate HTTP response headers.
     print $cgi->header();
 
@@ -450,13 +461,18 @@ sub confirmDelete {
       || ThrowTemplateError($template->error());
   } 
   else {
-    deleteType($flag_type);
+    # We should *always* ask if the admin really wants to delete
+    # a flagtype, even if there is no flag belonging to this type.
+    my $token = issue_session_token('delete_flagtype');
+    deleteType($flag_type, $token);
   }
 }
 
 
 sub deleteType {
     my $flag_type = shift || validateID();
+    my $token = shift;
+    check_token_data($token, 'delete_flagtype');
     my $id = $flag_type->id;
     my $dbh = Bugzilla->dbh;
 
@@ -474,6 +490,7 @@ sub deleteType {
     $dbh->bz_unlock_tables();
 
     $vars->{'message'} = "flag_type_deleted";
+    delete_token($token);
 
     # Return the appropriate HTTP response headers.
     print $cgi->header();
@@ -485,6 +502,8 @@ sub deleteType {
 
 
 sub deactivate {
+    my $token = shift;
+    check_token_data($token, 'delete_flagtype');
     my $flag_type = validateID();
     validateIsActive();
 
@@ -496,6 +515,7 @@ sub deactivate {
 
     $vars->{'message'} = "flag_type_deactivated";
     $vars->{'flag_type'} = $flag_type;
+    delete_token($token);
 
     # Return the appropriate HTTP response headers.
     print $cgi->header();
-- 
cgit v1.2.3-24-g4f1b