From 3c360d80785b076c143ad350acb8e02b3833a0b4 Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Wed, 9 Mar 2016 22:20:00 -0500
Subject: Bug 1252578 - CSRF and SELECT-only SQL execution attack against
 query_database.html

---
 extensions/BMO/template/en/default/pages/query_database.html.tmpl | 1 +
 1 file changed, 1 insertion(+)

(limited to 'extensions/BMO/template/en/default/pages')

diff --git a/extensions/BMO/template/en/default/pages/query_database.html.tmpl b/extensions/BMO/template/en/default/pages/query_database.html.tmpl
index 97f5c0a25..79c5be1d8 100644
--- a/extensions/BMO/template/en/default/pages/query_database.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/query_database.html.tmpl
@@ -15,6 +15,7 @@
 <input type="hidden" name="id" value="query_database.html">
 <textarea cols="80" rows="10" name="query">[% query FILTER html %]</textarea><br>
 <input type="submit" value="Execute">
+<input type="hidden" name="token" value="[% issue_hash_token(['query_database']) FILTER html %]">
 </form>
 
 [% IF executed %]
-- 
cgit v1.2.3-24-g4f1b