From 93815fc7619567cc962e053280c5ed0b19492feb Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Sun, 15 Oct 2006 05:02:09 +0000
Subject: Bug 281181: [SECURITY] It's way too easy to delete
 versions/components/milestones etc... - Patch by Frédéric Buclin
 <LpSolit@gmail.com> r=mkanat a=myk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 editproducts.cgi | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

(limited to 'editproducts.cgi')

diff --git a/editproducts.cgi b/editproducts.cgi
index 4c4394926..6fc5da258 100755
--- a/editproducts.cgi
+++ b/editproducts.cgi
@@ -47,6 +47,7 @@ use Bugzilla::Milestone;
 use Bugzilla::Group;
 use Bugzilla::User;
 use Bugzilla::Field;
+use Bugzilla::Token;
 
 #
 # Preliminary checks:
@@ -74,6 +75,7 @@ my $classification_name = trim($cgi->param('classification') || '');
 my $product_name = trim($cgi->param('product') || '');
 my $action  = trim($cgi->param('action')  || '');
 my $showbugcounts = (defined $cgi->param('showbugcounts'));
+my $token = $cgi->param('token');
 
 #
 # product = '' -> Show nice list of classifications (if
@@ -128,12 +130,13 @@ if (!$action && !$product_name) {
 #
 
 if ($action eq 'add') {
-
     if (Bugzilla->params->{'useclassification'}) {
         my $classification = 
             Bugzilla::Classification::check_classification($classification_name);
         $vars->{'classification'} = $classification;
     }
+    $vars->{'token'} = issue_session_token('add_product');
+
     $template->process("admin/products/create.html.tmpl", $vars)
       || ThrowTemplateError($template->error());
 
@@ -146,7 +149,7 @@ if ($action eq 'add') {
 #
 
 if ($action eq 'new') {
-
+    check_token_data($token, 'add_product');
     # Cleanups and validity checks
 
     my $classification_id = 1;
@@ -306,6 +309,8 @@ if ($action eq 'new') {
             $series->writeToDatabase();
         }
     }
+    delete_token($token);
+
     $vars->{'product'} = $product;
 
     $template->process("admin/products/created.html.tmpl", $vars)
@@ -339,6 +344,7 @@ if ($action eq 'del') {
     }
 
     $vars->{'product'} = $product;
+    $vars->{'token'} = issue_session_token('delete_product');
 
     $template->process("admin/products/confirm-delete.html.tmpl", $vars)
         || ThrowTemplateError($template->error());
@@ -350,6 +356,7 @@ if ($action eq 'del') {
 #
 
 if ($action eq 'delete') {
+    check_token_data($token, 'delete_product');
     # First make sure the product name is valid.
     my $product = Bugzilla::Product::check_product($product_name);
 
@@ -413,6 +420,8 @@ if ($action eq 'delete') {
 
     $dbh->bz_unlock_tables();
 
+    delete_token($token);
+
     $template->process("admin/products/deleted.html.tmpl", $vars)
         || ThrowTemplateError($template->error());
     exit;
@@ -467,9 +476,9 @@ if ($action eq 'edit' || (!$action && $product_name)) {
         }
     }
     $vars->{'group_controls'} = $group_controls;
-
     $vars->{'product'} = $product;
-        
+    $vars->{'token'} = issue_session_token('edit_product');
+
     $template->process("admin/products/edit.html.tmpl", $vars)
         || ThrowTemplateError($template->error());
 
@@ -481,6 +490,7 @@ if ($action eq 'edit' || (!$action && $product_name)) {
 #
 
 if ($action eq 'updategroupcontrols') {
+    check_token_data($token, 'edit_group_controls');
     # First make sure the product name is valid.
     my $product = Bugzilla::Product::check_product($product_name);
 
@@ -722,10 +732,10 @@ if ($action eq 'updategroupcontrols') {
     }
     $dbh->bz_unlock_tables();
 
-    $vars->{'removed_na'} = \@removed_na;
+    delete_token($token);
 
+    $vars->{'removed_na'} = \@removed_na;
     $vars->{'added_mandatory'} = \@added_mandatory;
-
     $vars->{'product'} = $product;
 
     $template->process("admin/products/groupcontrol/updated.html.tmpl", $vars)
@@ -737,7 +747,7 @@ if ($action eq 'updategroupcontrols') {
 # action='update' -> update the product
 #
 if ($action eq 'update') {
-
+    check_token_data($token, 'edit_product');
     my $product_old_name    = trim($cgi->param('product_old_name')    || '');
     my $description         = trim($cgi->param('description')         || '');
     my $disallownew         = trim($cgi->param('disallownew')         || '');
@@ -980,6 +990,7 @@ if ($action eq 'update') {
         $vars->{'confirmedbugs'} = \@updated_bugs;
         $vars->{'changer'} = $user->login;
     }
+    delete_token($token);
 
     $vars->{'old_product'} = $product_old;
     $vars->{'product'} = $product;
@@ -1022,6 +1033,7 @@ if ($action eq 'editgroupcontrols') {
 
     $vars->{'product'} = $product;
     $vars->{'groups'} = $groups;
+    $vars->{'token'} = issue_session_token('edit_group_controls');
 
     $vars->{'const'} = {
         'CONTROLMAPNA' => CONTROLMAPNA,
-- 
cgit v1.2.3-24-g4f1b