From d382992164347e076c51d3116a32aeabb2beecd5 Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Mon, 2 Feb 2009 18:59:17 +0000 Subject: Bug 466692: [SECURITY] keywords and unused flag types can be deleted by bypassing the token check - Patch by Frédéric Buclin r=mkanat a=LpSolit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- editkeywords.cgi | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) (limited to 'editkeywords.cgi') diff --git a/editkeywords.cgi b/editkeywords.cgi index dbc92971d..76bba4817 100755 --- a/editkeywords.cgi +++ b/editkeywords.cgi @@ -151,26 +151,23 @@ if ($action eq 'update') { exit; } - -if ($action eq 'delete') { +if ($action eq 'del') { my $keyword = new Bugzilla::Keyword($key_id) || ThrowCodeError('invalid_keyword_id', { id => $key_id }); $vars->{'keyword'} = $keyword; + $vars->{'token'} = issue_session_token('delete_keyword'); - # We need this token even if there is no bug using this keyword. - $token = issue_session_token('delete_keyword'); - - if (!$cgi->param('reallydelete') && $keyword->bug_count) { - $vars->{'token'} = $token; + print $cgi->header(); + $template->process("admin/keywords/confirm-delete.html.tmpl", $vars) + || ThrowTemplateError($template->error()); + exit; +} - print $cgi->header(); - $template->process("admin/keywords/confirm-delete.html.tmpl", $vars) - || ThrowTemplateError($template->error()); - exit; - } - # We cannot do this check earlier as we have to check 'reallydelete' first. +if ($action eq 'delete') { check_token_data($token, 'delete_keyword'); + my $keyword = new Bugzilla::Keyword($key_id) + || ThrowCodeError('invalid_keyword_id', { id => $key_id }); $dbh->do('DELETE FROM keywords WHERE keywordid = ?', undef, $keyword->id); $dbh->do('DELETE FROM keyworddefs WHERE id = ?', undef, $keyword->id); -- cgit v1.2.3-24-g4f1b