From 4e1941fedbe46bafce9aded3a0a38d272fec37a2 Mon Sep 17 00:00:00 2001
From: David Lawrence <dkl@mozilla.com>
Date: Tue, 4 Nov 2014 11:11:09 +0800
Subject: Bug 1090427: Backport bug 713926 to bmo/4.2 to protect against csrf
 for login forms

---
 relogin.cgi | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'relogin.cgi')

diff --git a/relogin.cgi b/relogin.cgi
index 6eb798205..9eea67bd5 100755
--- a/relogin.cgi
+++ b/relogin.cgi
@@ -67,6 +67,19 @@ elsif ($action eq 'prepare-sudo') {
     # Keep a temporary record of the user visiting this page
     $vars->{'token'} = issue_session_token('sudo_prepared');
 
+    if ($user->authorizer->can_login) {
+        my $value = generate_random_password();
+        my %args;
+        $args{'-secure'} = 1 if Bugzilla->params->{ssl_redirect};
+
+        $cgi->send_cookie(-name => 'Bugzilla_login_request_cookie',
+                          -value => $value,
+                          -httponly => 1,
+                          %args);
+
+        $vars->{'login_request_token'} = issue_hash_token(['login_request', $value]);
+    }
+
     # Show the sudo page
     $vars->{'target_login_default'} = $cgi->param('target_login');
     $vars->{'reason_default'} = $cgi->param('reason');
-- 
cgit v1.2.3-24-g4f1b