From 93815fc7619567cc962e053280c5ed0b19492feb Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Sun, 15 Oct 2006 05:02:09 +0000 Subject: Bug 281181: [SECURITY] It's way too easy to delete versions/components/milestones etc... - Patch by Frédéric Buclin r=mkanat a=myk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- editusers.cgi | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'editusers.cgi') diff --git a/editusers.cgi b/editusers.cgi index f30c66746..19e7ea587 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -33,6 +33,7 @@ use Bugzilla::BugMail; use Bugzilla::Flag; use Bugzilla::Field; use Bugzilla::Group; +use Bugzilla::Token; my $user = Bugzilla->login(LOGIN_REQUIRED); @@ -57,6 +58,7 @@ print $cgi->header(); my $action = $cgi->param('action') || 'search'; my $otherUserID = $cgi->param('userid'); my $otherUserLogin = $cgi->param('user'); +my $token = $cgi->param('token'); # Prefill template vars with data used in all or nearly all templates $vars->{'editusers'} = $editusers; @@ -183,6 +185,8 @@ if ($action eq 'search') { action => "add", object => "users"}); + $vars->{'token'} = issue_session_token('add_user'); + $template->process('admin/users/create.html.tmpl', $vars) || ThrowTemplateError($template->error()); @@ -192,6 +196,8 @@ if ($action eq 'search') { action => "add", object => "users"}); + check_token_data($token, 'add_user'); + my $new_user = Bugzilla::User->create({ login_name => scalar $cgi->param('login'), cryptpassword => scalar $cgi->param('password'), @@ -201,6 +207,10 @@ if ($action eq 'search') { userDataToVars($new_user->id); + delete_token($token); + + # We already display the updated page. We have to recreate a token now. + $vars->{'token'} = issue_session_token('edit_user'); $vars->{'message'} = 'account_created'; $template->process('admin/users/edit.html.tmpl', $vars) || ThrowTemplateError($template->error()); @@ -212,6 +222,7 @@ if ($action eq 'search') { ########################################################################### } elsif ($action eq 'update') { + check_token_data($token, 'edit_user'); my $otherUser = check_user($otherUserID, $otherUserLogin); $otherUserID = $otherUser->id; @@ -388,6 +399,7 @@ if ($action eq 'search') { # XXX: userDataToVars may be off when editing ourselves. userDataToVars($otherUserID); + delete_token($token); $vars->{'message'} = 'account_updated'; $vars->{'loginold'} = $otherUser->login; @@ -396,6 +408,9 @@ if ($action eq 'search') { $vars->{'groups_removed_from'} = \@groupsRemovedFrom; $vars->{'groups_granted_rights_to_bless'} = \@groupsGrantedRightsToBless; $vars->{'groups_denied_rights_to_bless'} = \@groupsDeniedRightsToBless; + # We already display the updated page. We have to recreate a token now. + $vars->{'token'} = issue_session_token('edit_user'); + $template->process('admin/users/edit.html.tmpl', $vars) || ThrowTemplateError($template->error()); @@ -479,12 +494,14 @@ if ($action eq 'search') { AND mailto_type = ? }, undef, ($otherUserID, MAILTO_USER)); + $vars->{'token'} = issue_session_token('delete_user'); $template->process('admin/users/confirm-delete.html.tmpl', $vars) || ThrowTemplateError($template->error()); ########################################################################### } elsif ($action eq 'delete') { + check_token_data($token, 'delete_user'); my $otherUser = check_user($otherUserID, $otherUserLogin); $otherUserID = $otherUser->id; @@ -707,6 +724,7 @@ if ($action eq 'search') { $dbh->do('DELETE FROM profiles WHERE userid = ?', undef, $otherUserID); $dbh->bz_unlock_tables(); + delete_token($token); $vars->{'message'} = 'account_deleted'; $vars->{'otheruser'}{'login'} = $otherUser->login; @@ -857,6 +875,7 @@ sub edit_processing { object => "user"}); userDataToVars($otherUser->id); + $vars->{'token'} = issue_session_token('edit_user'); $template->process('admin/users/edit.html.tmpl', $vars) || ThrowTemplateError($template->error()); -- cgit v1.2.3-24-g4f1b