From 93815fc7619567cc962e053280c5ed0b19492feb Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Sun, 15 Oct 2006 05:02:09 +0000 Subject: Bug 281181: [SECURITY] It's way too easy to delete versions/components/milestones etc... - Patch by Frédéric Buclin r=mkanat a=myk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- editkeywords.cgi | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'editkeywords.cgi') diff --git a/editkeywords.cgi b/editkeywords.cgi index bf130768e..3aca22e43 100755 --- a/editkeywords.cgi +++ b/editkeywords.cgi @@ -28,6 +28,7 @@ use Bugzilla::Constants; use Bugzilla::Util; use Bugzilla::Error; use Bugzilla::Keyword; +use Bugzilla::Token; my $cgi = Bugzilla->cgi; my $dbh = Bugzilla->dbh; @@ -49,6 +50,8 @@ $user->in_group('editkeywords') my $action = trim($cgi->param('action') || ''); my $key_id = $cgi->param('id'); +my $token = $cgi->param('token'); + $vars->{'action'} = $action; @@ -64,6 +67,8 @@ if ($action eq "") { if ($action eq 'add') { + $vars->{'token'} = issue_session_token('add_keyword'); + print $cgi->header(); $template->process("admin/keywords/create.html.tmpl", $vars) @@ -76,12 +81,15 @@ if ($action eq 'add') { # action='new' -> add keyword entered in the 'action=add' screen # if ($action eq 'new') { + check_token_data($token, 'add_keyword'); my $name = $cgi->param('name') || ''; my $desc = $cgi->param('description') || ''; my $keyword = Bugzilla::Keyword->create( { name => $name, description => $desc }); + delete_token($token); + print $cgi->header(); $vars->{'name'} = $keyword->name; @@ -104,6 +112,7 @@ if ($action eq 'edit') { || ThrowCodeError('invalid_keyword_id', { id => $key_id }); $vars->{'keyword'} = $keyword; + $vars->{'token'} = issue_session_token('edit_keyword'); print $cgi->header(); $template->process("admin/keywords/edit.html.tmpl", $vars) @@ -117,6 +126,7 @@ if ($action eq 'edit') { # if ($action eq 'update') { + check_token_data($token, 'edit_keyword'); my $keyword = new Bugzilla::Keyword($key_id) || ThrowCodeError('invalid_keyword_id', { id => $key_id }); @@ -124,6 +134,8 @@ if ($action eq 'update') { $keyword->set_description($cgi->param('description')); $keyword->update(); + delete_token($token); + print $cgi->header(); $vars->{'keyword'} = $keyword; @@ -140,16 +152,25 @@ if ($action eq 'delete') { $vars->{'keyword'} = $keyword; + # We need this token even if there is no bug using this keyword. + $token = issue_session_token('delete_keyword'); + if (!$cgi->param('reallydelete') && $keyword->bug_count) { + $vars->{'token'} = $token; + print $cgi->header(); $template->process("admin/keywords/confirm-delete.html.tmpl", $vars) || ThrowTemplateError($template->error()); exit; } + # We cannot do this check earlier as we have to check 'reallydelete' first. + check_token_data($token, 'delete_keyword'); $dbh->do('DELETE FROM keywords WHERE keywordid = ?', undef, $keyword->id); $dbh->do('DELETE FROM keyworddefs WHERE id = ?', undef, $keyword->id); + delete_token($token); + print $cgi->header(); $template->process("admin/keywords/rebuild-cache.html.tmpl", $vars) -- cgit v1.2.3-24-g4f1b