From d382992164347e076c51d3116a32aeabb2beecd5 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Mon, 2 Feb 2009 18:59:17 +0000
Subject: Bug 466692: [SECURITY] keywords and unused flag types can be deleted
 by bypassing the token check - Patch by Frédéric Buclin <LpSolit@gmail.com>
 r=mkanat a=LpSolit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 editflagtypes.cgi | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

(limited to 'editflagtypes.cgi')

diff --git a/editflagtypes.cgi b/editflagtypes.cgi
index d77c6b8a3..4dbaae573 100755
--- a/editflagtypes.cgi
+++ b/editflagtypes.cgi
@@ -80,7 +80,7 @@ elsif ($action eq 'edit')           { edit($action);    }
 elsif ($action eq 'insert')         { insert($token);   }
 elsif ($action eq 'update')         { update($token);   }
 elsif ($action eq 'confirmdelete')  { confirmDelete();  } 
-elsif ($action eq 'delete')         { deleteType(undef, $token); }
+elsif ($action eq 'delete')         { deleteType($token); }
 elsif ($action eq 'deactivate')     { deactivate($token); }
 else { 
     ThrowCodeError("action_unrecognized", { action => $action });
@@ -460,9 +460,8 @@ sub update {
 
 
 sub confirmDelete {
-  my $flag_type = validateID();
+    my $flag_type = validateID();
 
-  if ($flag_type->flag_count) {
     $vars->{'flag_type'} = $flag_type;
     $vars->{'token'} = issue_session_token('delete_flagtype');
     # Return the appropriate HTTP response headers.
@@ -471,20 +470,13 @@ sub confirmDelete {
     # Generate and return the UI (HTML page) from the appropriate template.
     $template->process("admin/flag-type/confirm-delete.html.tmpl", $vars)
       || ThrowTemplateError($template->error());
-  } 
-  else {
-    # We should *always* ask if the admin really wants to delete
-    # a flagtype, even if there is no flag belonging to this type.
-    my $token = issue_session_token('delete_flagtype');
-    deleteType($flag_type, $token);
-  }
 }
 
 
 sub deleteType {
-    my $flag_type = shift || validateID();
     my $token = shift;
     check_token_data($token, 'delete_flagtype');
+    my $flag_type = validateID();
     my $id = $flag_type->id;
     my $dbh = Bugzilla->dbh;
 
-- 
cgit v1.2.3-24-g4f1b