From d9041c3f97422fb377c3e8d20129f4ef8517f833 Mon Sep 17 00:00:00 2001 From: "reed%reedloden.com" <> Date: Mon, 30 Mar 2009 21:02:33 +0000 Subject: Bug 476603 - "[SECURITY] Editing attachments doesn't have any CSRF protection" [p=reed r=LpSolit a=LpSolit] --- template/en/default/bug/show.xml.tmpl | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'template/en/default/bug') diff --git a/template/en/default/bug/show.xml.tmpl b/template/en/default/bug/show.xml.tmpl index 8fc6ddb3f..cd7f44eff 100644 --- a/template/en/default/bug/show.xml.tmpl +++ b/template/en/default/bug/show.xml.tmpl @@ -103,9 +103,13 @@ [% a.contenttype FILTER xml %] [% a.datasize FILTER xml %] [% a.attacher.email FILTER email FILTER xml %] - [% IF displayfields.attachmentdata %] - [% a.data FILTER base64 %] - [% END %] + [%# This is here so automated clients can still use attachment.cgi %] + [% IF displayfields.token && user.id %] + [% issue_hash_token([a.id, a.modification_time]) FILTER xml %] + [% END %] + [% IF displayfields.attachmentdata %] + [% a.data FILTER base64 %] + [% END %] [% FOREACH flag = a.flags %]