From 3c360d80785b076c143ad350acb8e02b3833a0b4 Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Wed, 9 Mar 2016 22:20:00 -0500
Subject: Bug 1252578 - CSRF and SELECT-only SQL execution attack against
 query_database.html

---
 extensions/BMO/Extension.pm                                       | 1 +
 extensions/BMO/template/en/default/pages/query_database.html.tmpl | 1 +
 2 files changed, 2 insertions(+)

(limited to 'extensions/BMO')

diff --git a/extensions/BMO/Extension.pm b/extensions/BMO/Extension.pm
index a72f3d1be..75b8df456 100644
--- a/extensions/BMO/Extension.pm
+++ b/extensions/BMO/Extension.pm
@@ -2133,6 +2133,7 @@ sub query_database {
     $vars->{query} = $query;
 
     if ($query) {
+        check_hash_token($input->{token}, ['query_database']);
         trick_taint($query);
         $vars->{executed} = 1;
 
diff --git a/extensions/BMO/template/en/default/pages/query_database.html.tmpl b/extensions/BMO/template/en/default/pages/query_database.html.tmpl
index 97f5c0a25..79c5be1d8 100644
--- a/extensions/BMO/template/en/default/pages/query_database.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/query_database.html.tmpl
@@ -15,6 +15,7 @@
 <input type="hidden" name="id" value="query_database.html">
 <textarea cols="80" rows="10" name="query">[% query FILTER html %]</textarea><br>
 <input type="submit" value="Execute">
+<input type="hidden" name="token" value="[% issue_hash_token(['query_database']) FILTER html %]">
 </form>
 
 [% IF executed %]
-- 
cgit v1.2.3-24-g4f1b