From d9041c3f97422fb377c3e8d20129f4ef8517f833 Mon Sep 17 00:00:00 2001
From: "reed%reedloden.com" <>
Date: Mon, 30 Mar 2009 21:02:33 +0000
Subject: Bug 476603 - "[SECURITY] Editing attachments doesn't have any CSRF
 protection" [p=reed r=LpSolit a=LpSolit]

---
 template/en/default/bug/show.xml.tmpl | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'template/en/default/bug')

diff --git a/template/en/default/bug/show.xml.tmpl b/template/en/default/bug/show.xml.tmpl
index 8fc6ddb3f..cd7f44eff 100644
--- a/template/en/default/bug/show.xml.tmpl
+++ b/template/en/default/bug/show.xml.tmpl
@@ -103,9 +103,13 @@
             <type>[% a.contenttype FILTER xml %]</type>
             <size>[% a.datasize FILTER xml %]</size>
             <attacher>[% a.attacher.email FILTER email FILTER xml %]</attacher>
-        [% IF displayfields.attachmentdata %]
-            <data encoding="base64">[% a.data FILTER base64 %]</data>
-        [% END %]        
+            [%# This is here so automated clients can still use attachment.cgi %]
+            [% IF displayfields.token && user.id %]
+              <token>[% issue_hash_token([a.id, a.modification_time]) FILTER xml %]</token>
+            [% END %]
+            [% IF displayfields.attachmentdata %]
+              <data encoding="base64">[% a.data FILTER base64 %]</data>
+            [% END %]
 
             [% FOREACH flag = a.flags %]
               <flag name="[% flag.type.name FILTER xml %]"
-- 
cgit v1.2.3-24-g4f1b