From 93815fc7619567cc962e053280c5ed0b19492feb Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Sun, 15 Oct 2006 05:02:09 +0000
Subject: Bug 281181: [SECURITY] It's way too easy to delete
 versions/components/milestones etc... - Patch by Frédéric Buclin
 <LpSolit@gmail.com> r=mkanat a=myk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 editkeywords.cgi | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'editkeywords.cgi')

diff --git a/editkeywords.cgi b/editkeywords.cgi
index bf130768e..3aca22e43 100755
--- a/editkeywords.cgi
+++ b/editkeywords.cgi
@@ -28,6 +28,7 @@ use Bugzilla::Constants;
 use Bugzilla::Util;
 use Bugzilla::Error;
 use Bugzilla::Keyword;
+use Bugzilla::Token;
 
 my $cgi = Bugzilla->cgi;
 my $dbh = Bugzilla->dbh;
@@ -49,6 +50,8 @@ $user->in_group('editkeywords')
 
 my $action = trim($cgi->param('action')  || '');
 my $key_id = $cgi->param('id');
+my $token  = $cgi->param('token');
+
 $vars->{'action'} = $action;
 
 
@@ -64,6 +67,8 @@ if ($action eq "") {
     
 
 if ($action eq 'add') {
+    $vars->{'token'} = issue_session_token('add_keyword');
+
     print $cgi->header();
 
     $template->process("admin/keywords/create.html.tmpl", $vars)
@@ -76,12 +81,15 @@ if ($action eq 'add') {
 # action='new' -> add keyword entered in the 'action=add' screen
 #
 if ($action eq 'new') {
+    check_token_data($token, 'add_keyword');
     my $name = $cgi->param('name') || '';
     my $desc = $cgi->param('description')  || '';
 
     my $keyword = Bugzilla::Keyword->create(
         { name => $name, description => $desc });
 
+    delete_token($token);
+
     print $cgi->header();
 
     $vars->{'name'} = $keyword->name;
@@ -104,6 +112,7 @@ if ($action eq 'edit') {
         || ThrowCodeError('invalid_keyword_id', { id => $key_id });
 
     $vars->{'keyword'} = $keyword;
+    $vars->{'token'} = issue_session_token('edit_keyword');
 
     print $cgi->header();
     $template->process("admin/keywords/edit.html.tmpl", $vars)
@@ -117,6 +126,7 @@ if ($action eq 'edit') {
 #
 
 if ($action eq 'update') {
+    check_token_data($token, 'edit_keyword');
     my $keyword = new Bugzilla::Keyword($key_id)
         || ThrowCodeError('invalid_keyword_id', { id => $key_id });
 
@@ -124,6 +134,8 @@ if ($action eq 'update') {
     $keyword->set_description($cgi->param('description'));
     $keyword->update();
 
+    delete_token($token);
+
     print $cgi->header();
 
     $vars->{'keyword'} = $keyword;
@@ -140,16 +152,25 @@ if ($action eq 'delete') {
 
     $vars->{'keyword'} = $keyword;
 
+    # We need this token even if there is no bug using this keyword.
+    $token = issue_session_token('delete_keyword');
+
     if (!$cgi->param('reallydelete') && $keyword->bug_count) {
+        $vars->{'token'} = $token;
+
         print $cgi->header();
         $template->process("admin/keywords/confirm-delete.html.tmpl", $vars)
             || ThrowTemplateError($template->error());
         exit;
     }
+    # We cannot do this check earlier as we have to check 'reallydelete' first.
+    check_token_data($token, 'delete_keyword');
 
     $dbh->do('DELETE FROM keywords WHERE keywordid = ?', undef, $keyword->id);
     $dbh->do('DELETE FROM keyworddefs WHERE id = ?', undef, $keyword->id);
 
+    delete_token($token);
+
     print $cgi->header();
 
     $template->process("admin/keywords/rebuild-cache.html.tmpl", $vars)
-- 
cgit v1.2.3-24-g4f1b