From 93815fc7619567cc962e053280c5ed0b19492feb Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Sun, 15 Oct 2006 05:02:09 +0000 Subject: Bug 281181: [SECURITY] It's way too easy to delete versions/components/milestones etc... - Patch by Frédéric Buclin r=mkanat a=myk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- template/en/default/admin/confirm-action.html.tmpl | 97 ++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 template/en/default/admin/confirm-action.html.tmpl (limited to 'template/en/default/admin/confirm-action.html.tmpl') diff --git a/template/en/default/admin/confirm-action.html.tmpl b/template/en/default/admin/confirm-action.html.tmpl new file mode 100644 index 000000000..6e8caa6ac --- /dev/null +++ b/template/en/default/admin/confirm-action.html.tmpl @@ -0,0 +1,97 @@ +[%# 1.0@bugzilla.org %] +[%# The contents of this file are subject to the Mozilla Public + # License Version 1.1 (the "License"); you may not use this file + # except in compliance with the License. You may obtain a copy of + # the License at http://www.mozilla.org/MPL/ + # + # Software distributed under the License is distributed on an "AS + # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + # implied. See the License for the specific language governing + # rights and limitations under the License. + # + # The Original Code is the Bugzilla Bug Tracking System. + # + # The Initial Developer of the Original Code is Frédéric Buclin. + # + # Contributor(s): Frédéric Buclin + #%] + +[%# INTERFACE: + # abuser: identity of the user who created the (invalid?) token. + # token_action: the action the token was supposed to serve. + # expected_action: the action the user was going to do. + # script_name: the script generating this warning. + #%] + +[% PROCESS "global/field-descs.none.tmpl" %] + +[% PROCESS global/header.html.tmpl title = "Suspicious Action" + style_urls = ['skins/standard/global.css'] %] + +[% IF abuser %] +
+

When you view an administrative form in [% terms.Bugzilla %], a token string + is randomly generated and stored both in the database and in the form you loaded, + to make sure that the requested changes are being made as a result of submitting + a form generated by [% terms.Bugzilla %]. Unfortunately, the token used right now + is incorrect, meaning that it looks like you didn't come from the right page. + The following token has been used :

+ + + [% IF token_action != expected_action %] + + + + + + + + + [% END %] + + [% IF abuser != user.identity %] + + + + + + + + + [% END %] +
Action stored:[% token_action FILTER html %]
  + This action doesn't match the one expected ([% expected_action FILTER html %]). +
Generated by:[% abuser FILTER html %]
  + This token has not been generated by you. It is possible that someone + tried to trick you! +
+ +

Please report this problem to [%+ Param("maintainer") FILTER html %].

+
+[% ELSE %] +
+ It looks like you didn't come from the right page (you have no valid token for + the [% expected_action FILTER html %] action while processing the + '[% script_name FILTER html%]' script). The reason could be one of:
+
    +
  • You clicked the "Back" button of your web browser after having successfully + submitted changes, which is generally not a good idea (but harmless).
    • +
  • You entered the URL in the address bar of your web browser directly, + which should be safe.
    • +
  • You clicked on a URL which redirected you here without your consent, + in which case this action is much more critical.
    • +
+ Are you sure you want to commit these changes anyway? This may result in + unexpected and undesired results. +
+ +
+ [% PROCESS "global/hidden-fields.html.tmpl" + exclude="^(Bugzilla_login|Bugzilla_password)$" %] + +
+

Or throw away these changes and go back to + [%- script_name FILTER html %].

+[% END %] + +[% PROCESS global/footer.html.tmpl %] -- cgit v1.2.3-24-g4f1b