From 125734746e1d48514b2e9affb8dd793d600b7c17 Mon Sep 17 00:00:00 2001
From: David Lawrence <dkl@mozilla.com>
Date: Tue, 4 Oct 2016 13:16:48 +0000
Subject: Bug 1306589 - BMO: CSRF vulnerability allows deleting admin queue
 entries

---
 extensions/Push/lib/Admin.pm | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'extensions/Push/lib/Admin.pm')

diff --git a/extensions/Push/lib/Admin.pm b/extensions/Push/lib/Admin.pm
index fa65e0d69..9df2bddcb 100644
--- a/extensions/Push/lib/Admin.pm
+++ b/extensions/Push/lib/Admin.pm
@@ -103,6 +103,8 @@ sub admin_queues {
             || ThrowUserError('push_error', { error_message => 'Invalid message ID' });
 
         if ($input->{delete}) {
+            my $token = $input->{token};
+            check_hash_token($token, ['deleteMessage']);
             $message->remove_from_db();
             $vars->{message} = 'push_message_deleted';
 
-- 
cgit v1.2.3-24-g4f1b