From 125734746e1d48514b2e9affb8dd793d600b7c17 Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Tue, 4 Oct 2016 13:16:48 +0000 Subject: Bug 1306589 - BMO: CSRF vulnerability allows deleting admin queue entries --- extensions/Push/lib/Admin.pm | 2 ++ .../en/default/pages/push_queues_view.html.tmpl | 30 ++++++++++++++-------- extensions/Push/web/admin.css | 4 +++ extensions/Push/web/admin.js | 7 +++++ 4 files changed, 32 insertions(+), 11 deletions(-) (limited to 'extensions') diff --git a/extensions/Push/lib/Admin.pm b/extensions/Push/lib/Admin.pm index fa65e0d69..9df2bddcb 100644 --- a/extensions/Push/lib/Admin.pm +++ b/extensions/Push/lib/Admin.pm @@ -103,6 +103,8 @@ sub admin_queues { || ThrowUserError('push_error', { error_message => 'Invalid message ID' }); if ($input->{delete}) { + my $token = $input->{token}; + check_hash_token($token, ['deleteMessage']); $message->remove_from_db(); $vars->{message} = 'push_message_deleted'; diff --git a/extensions/Push/template/en/default/pages/push_queues_view.html.tmpl b/extensions/Push/template/en/default/pages/push_queues_view.html.tmpl index 6330d8ae4..355e6af91 100644 --- a/extensions/Push/template/en/default/pages/push_queues_view.html.tmpl +++ b/extensions/Push/template/en/default/pages/push_queues_view.html.tmpl @@ -14,6 +14,7 @@ [% IF !message_obj %] Return + [% INCLUDE global/footer.html.tmpl %] [% RETURN %] [% END %] @@ -55,6 +56,24 @@ [% END %] + + Actions + +
+ + + + + + +
+
+ + +
+ + + [% IF json %] @@ -64,17 +83,6 @@ [% END %] - - - - Return | - Delete - - - [% INCLUDE global/footer.html.tmpl %] diff --git a/extensions/Push/web/admin.css b/extensions/Push/web/admin.css index c204fa62a..96b3b8da5 100644 --- a/extensions/Push/web/admin.css +++ b/extensions/Push/web/admin.css @@ -69,3 +69,7 @@ text-align: right !important; } +.action-button { + display: inline; +} + diff --git a/extensions/Push/web/admin.js b/extensions/Push/web/admin.js index 599bfd742..cf1c69e7d 100644 --- a/extensions/Push/web/admin.js +++ b/extensions/Push/web/admin.js @@ -35,3 +35,10 @@ function reset_to_defaults() { } } } + +$(function() { + $('#deleteMessage input[type=submit]') + .click(function(event) { + return confirm('Are you sure you want to delete this message forever (a long time)?'); + }); +}); -- cgit v1.2.3-24-g4f1b