From 0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Thu, 17 Apr 2014 18:11:12 +0200
Subject: Bug 713926: (CVE-2014-1517) [SECURITY] Login form lacks CSRF
 protection r=dkl a=justdave

---
 template/en/default/admin/sudo.html.tmpl | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'template/en/default/admin')

diff --git a/template/en/default/admin/sudo.html.tmpl b/template/en/default/admin/sudo.html.tmpl
index d4faf4ea7..bf0cd7b6f 100644
--- a/template/en/default/admin/sudo.html.tmpl
+++ b/template/en/default/admin/sudo.html.tmpl
@@ -68,9 +68,10 @@
     <p>
       Finally, enter <label for="Bugzilla_password">your [% terms.Bugzilla %]
       password</label>:
-      <input type="hidden" name="Bugzilla_login" value="
-      [%- user.login FILTER html %]">
+      <input type="hidden" name="Bugzilla_login" value="[% user.login FILTER html %]">
       <input type="password" id="Bugzilla_password" name="Bugzilla_password" size="20" required>
+      <input type="hidden" name="Bugzilla_login_token"
+             value="[% login_request_token FILTER html %]">
       <br>
       This is done for two reasons.  First of all, it is done to reduce 
       the chances of someone doing large amounts of damage using your 
-- 
cgit v1.2.3-24-g4f1b