From 93815fc7619567cc962e053280c5ed0b19492feb Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Sun, 15 Oct 2006 05:02:09 +0000 Subject: Bug 281181: [SECURITY] It's way too easy to delete versions/components/milestones etc... - Patch by Frédéric Buclin r=mkanat a=myk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../en/default/admin/classifications/add.html.tmpl | 1 + .../en/default/admin/classifications/del.html.tmpl | 1 + .../default/admin/classifications/edit.html.tmpl | 1 + .../admin/classifications/reclassify.html.tmpl | 1 + .../admin/components/confirm-delete.html.tmpl | 1 + .../en/default/admin/components/create.html.tmpl | 2 +- .../en/default/admin/components/edit.html.tmpl | 1 + template/en/default/admin/confirm-action.html.tmpl | 97 ++++++++++++++++++++++ .../default/admin/custom_fields/create.html.tmpl | 1 + .../en/default/admin/custom_fields/edit.html.tmpl | 1 + .../admin/fieldvalues/confirm-delete.html.tmpl | 1 + .../en/default/admin/fieldvalues/create.html.tmpl | 2 +- .../en/default/admin/fieldvalues/edit.html.tmpl | 2 +- .../admin/flag-type/confirm-delete.html.tmpl | 16 ++-- template/en/default/admin/flag-type/edit.html.tmpl | 1 + template/en/default/admin/flag-type/list.html.tmpl | 23 +---- template/en/default/admin/groups/create.html.tmpl | 1 + template/en/default/admin/groups/delete.html.tmpl | 1 + template/en/default/admin/groups/edit.html.tmpl | 1 + .../admin/keywords/confirm-delete.html.tmpl | 1 + .../en/default/admin/keywords/create.html.tmpl | 1 + template/en/default/admin/keywords/edit.html.tmpl | 1 + .../admin/milestones/confirm-delete.html.tmpl | 1 + .../en/default/admin/milestones/create.html.tmpl | 2 +- .../en/default/admin/milestones/edit.html.tmpl | 2 +- .../en/default/admin/params/editparams.html.tmpl | 1 + .../admin/products/confirm-delete.html.tmpl | 1 + .../en/default/admin/products/create.html.tmpl | 1 + template/en/default/admin/products/edit.html.tmpl | 1 + .../admin/products/groupcontrol/edit.html.tmpl | 1 + template/en/default/admin/settings/edit.html.tmpl | 1 + .../default/admin/users/confirm-delete.html.tmpl | 1 + template/en/default/admin/users/create.html.tmpl | 1 + template/en/default/admin/users/edit.html.tmpl | 1 + .../admin/versions/confirm-delete.html.tmpl | 1 + .../en/default/admin/versions/create.html.tmpl | 2 +- template/en/default/admin/versions/edit.html.tmpl | 2 +- template/en/default/filterexceptions.pl | 1 - template/en/default/whine/schedule.html.tmpl | 1 + 39 files changed, 140 insertions(+), 39 deletions(-) create mode 100644 template/en/default/admin/confirm-action.html.tmpl (limited to 'template') diff --git a/template/en/default/admin/classifications/add.html.tmpl b/template/en/default/admin/classifications/add.html.tmpl index 15b8fc3a2..d549bbc79 100644 --- a/template/en/default/admin/classifications/add.html.tmpl +++ b/template/en/default/admin/classifications/add.html.tmpl @@ -49,6 +49,7 @@
+

Back to the main [% terms.bugs %] page diff --git a/template/en/default/admin/classifications/del.html.tmpl b/template/en/default/admin/classifications/del.html.tmpl index 84c3cb197..ffb8fe065 100644 --- a/template/en/default/admin/classifications/del.html.tmpl +++ b/template/en/default/admin/classifications/del.html.tmpl @@ -56,6 +56,7 @@ +

Back to the main [% terms.bugs %] page diff --git a/template/en/default/admin/classifications/edit.html.tmpl b/template/en/default/admin/classifications/edit.html.tmpl index b56a401f4..923a79f5e 100644 --- a/template/en/default/admin/classifications/edit.html.tmpl +++ b/template/en/default/admin/classifications/edit.html.tmpl @@ -77,6 +77,7 @@ + diff --git a/template/en/default/admin/classifications/reclassify.html.tmpl b/template/en/default/admin/classifications/reclassify.html.tmpl index 0db2fc265..113c6f630 100644 --- a/template/en/default/admin/classifications/reclassify.html.tmpl +++ b/template/en/default/admin/classifications/reclassify.html.tmpl @@ -82,6 +82,7 @@ +

Back to the main [% terms.bugs %] page, diff --git a/template/en/default/admin/components/confirm-delete.html.tmpl b/template/en/default/admin/components/confirm-delete.html.tmpl index e7e00636e..1d7553f83 100644 --- a/template/en/default/admin/components/confirm-delete.html.tmpl +++ b/template/en/default/admin/components/confirm-delete.html.tmpl @@ -150,6 +150,7 @@ + [% END %] diff --git a/template/en/default/admin/components/create.html.tmpl b/template/en/default/admin/components/create.html.tmpl index 013ee861e..9b4a19bf0 100644 --- a/template/en/default/admin/components/create.html.tmpl +++ b/template/en/default/admin/components/create.html.tmpl @@ -102,7 +102,7 @@ - + [% PROCESS admin/components/footer.html.tmpl %] diff --git a/template/en/default/admin/components/edit.html.tmpl b/template/en/default/admin/components/edit.html.tmpl index 6ee3a69fe..81a6e9fc2 100644 --- a/template/en/default/admin/components/edit.html.tmpl +++ b/template/en/default/admin/components/edit.html.tmpl @@ -119,6 +119,7 @@ + or + #%] + +[%# INTERFACE: + # abuser: identity of the user who created the (invalid?) token. + # token_action: the action the token was supposed to serve. + # expected_action: the action the user was going to do. + # script_name: the script generating this warning. + #%] + +[% PROCESS "global/field-descs.none.tmpl" %] + +[% PROCESS global/header.html.tmpl title = "Suspicious Action" + style_urls = ['skins/standard/global.css'] %] + +[% IF abuser %] +

+

When you view an administrative form in [% terms.Bugzilla %], a token string + is randomly generated and stored both in the database and in the form you loaded, + to make sure that the requested changes are being made as a result of submitting + a form generated by [% terms.Bugzilla %]. Unfortunately, the token used right now + is incorrect, meaning that it looks like you didn't come from the right page. + The following token has been used :

+ + + [% IF token_action != expected_action %] + + + + + + + + + [% END %] + + [% IF abuser != user.identity %] + + + + + + + + + [% END %] +
Action stored:[% token_action FILTER html %]
  + This action doesn't match the one expected ([% expected_action FILTER html %]). +
Generated by:[% abuser FILTER html %]
  + This token has not been generated by you. It is possible that someone + tried to trick you! +
+ +

Please report this problem to [%+ Param("maintainer") FILTER html %].

+
+[% ELSE %] +
+ It looks like you didn't come from the right page (you have no valid token for + the [% expected_action FILTER html %] action while processing the + '[% script_name FILTER html%]' script). The reason could be one of:
+
    +
  • You clicked the "Back" button of your web browser after having successfully + submitted changes, which is generally not a good idea (but harmless).
    • +
  • You entered the URL in the address bar of your web browser directly, + which should be safe.
    • +
  • You clicked on a URL which redirected you here without your consent, + in which case this action is much more critical.
    • +
+ Are you sure you want to commit these changes anyway? This may result in + unexpected and undesired results. +
+ +
+ [% PROCESS "global/hidden-fields.html.tmpl" + exclude="^(Bugzilla_login|Bugzilla_password)$" %] + +
+

Or throw away these changes and go back to + [%- script_name FILTER html %].

+[% END %] + +[% PROCESS global/footer.html.tmpl %] diff --git a/template/en/default/admin/custom_fields/create.html.tmpl b/template/en/default/admin/custom_fields/create.html.tmpl index e8b66deca..995c4d0a9 100644 --- a/template/en/default/admin/custom_fields/create.html.tmpl +++ b/template/en/default/admin/custom_fields/create.html.tmpl @@ -102,6 +102,7 @@
+ diff --git a/template/en/default/admin/custom_fields/edit.html.tmpl b/template/en/default/admin/custom_fields/edit.html.tmpl index 6ffa3d89d..2165ac323 100644 --- a/template/en/default/admin/custom_fields/edit.html.tmpl +++ b/template/en/default/admin/custom_fields/edit.html.tmpl @@ -98,6 +98,7 @@
+ diff --git a/template/en/default/admin/fieldvalues/confirm-delete.html.tmpl b/template/en/default/admin/fieldvalues/confirm-delete.html.tmpl index d29c124d6..4cd001476 100644 --- a/template/en/default/admin/fieldvalues/confirm-delete.html.tmpl +++ b/template/en/default/admin/fieldvalues/confirm-delete.html.tmpl @@ -111,6 +111,7 @@ + [% END %] diff --git a/template/en/default/admin/fieldvalues/create.html.tmpl b/template/en/default/admin/fieldvalues/create.html.tmpl index c0d364416..2e87af053 100644 --- a/template/en/default/admin/fieldvalues/create.html.tmpl +++ b/template/en/default/admin/fieldvalues/create.html.tmpl @@ -42,7 +42,7 @@ - +

diff --git a/template/en/default/admin/fieldvalues/edit.html.tmpl b/template/en/default/admin/fieldvalues/edit.html.tmpl index 362ed4753..7ff3c0e33 100644 --- a/template/en/default/admin/fieldvalues/edit.html.tmpl +++ b/template/en/default/admin/fieldvalues/edit.html.tmpl @@ -55,8 +55,8 @@ + -

diff --git a/template/en/default/admin/flag-type/confirm-delete.html.tmpl b/template/en/default/admin/flag-type/confirm-delete.html.tmpl index fda34e3b1..0af9fb5a2 100644 --- a/template/en/default/admin/flag-type/confirm-delete.html.tmpl +++ b/template/en/default/admin/flag-type/confirm-delete.html.tmpl @@ -21,18 +21,16 @@ [% PROCESS global/variables.none.tmpl %] -[%# Filter off the name here to be used multiple times below %] -[% name = BLOCK %][% flag_type.name FILTER html %][% END %] +[% title = BLOCK %]Confirm Deletion of Flag Type '[% flag_type.name FILTER html %]'[% END %] -[% PROCESS global/header.html.tmpl - title = "Confirm Deletion of Flag Type '$name'" -%] +[% PROCESS global/header.html.tmpl title = title %]

- There are [% flag_type.flag_count %] flags of type [% name FILTER html %]. + There are [% flag_type.flag_count %] flags of type [% flag_type.name FILTER html %]. If you delete this type, those flags will also be deleted. Note that instead of deleting the type you can - deactivate it, + deactivate it, in which case the type and its flags will remain in the database but will not appear in the [% terms.Bugzilla %] UI.

@@ -45,8 +43,8 @@ - - Yes, delete + Yes, delete diff --git a/template/en/default/admin/flag-type/edit.html.tmpl b/template/en/default/admin/flag-type/edit.html.tmpl index 942fb3b09..e78c83643 100644 --- a/template/en/default/admin/flag-type/edit.html.tmpl +++ b/template/en/default/admin/flag-type/edit.html.tmpl @@ -53,6 +53,7 @@
+ [% FOREACH category = type.inclusions %] diff --git a/template/en/default/admin/flag-type/list.html.tmpl b/template/en/default/admin/flag-type/list.html.tmpl index 94fe3da0c..3346f9570 100644 --- a/template/en/default/admin/flag-type/list.html.tmpl +++ b/template/en/default/admin/flag-type/list.html.tmpl @@ -101,25 +101,6 @@ Create Flag Type For Attachments

- - [% PROCESS global/footer.html.tmpl %] @@ -157,9 +138,7 @@ [% IF type.request_group %][% type.request_group.name FILTER html %][% END %] Copy - | Delete + | Delete diff --git a/template/en/default/admin/groups/create.html.tmpl b/template/en/default/admin/groups/create.html.tmpl index 2b50d73a2..d6422f769 100644 --- a/template/en/default/admin/groups/create.html.tmpl +++ b/template/en/default/admin/groups/create.html.tmpl @@ -49,6 +49,7 @@ Insert new group into all existing products.

+

Name is what is used with the Bugzilla->user->in_group() diff --git a/template/en/default/admin/groups/delete.html.tmpl b/template/en/default/admin/groups/delete.html.tmpl index f5aa7a9b4..22701407a 100644 --- a/template/en/default/admin/groups/delete.html.tmpl +++ b/template/en/default/admin/groups/delete.html.tmpl @@ -123,6 +123,7 @@

+ Go back to the group list. diff --git a/template/en/default/admin/groups/edit.html.tmpl b/template/en/default/admin/groups/edit.html.tmpl index c1d032e1a..6c5771661 100644 --- a/template/en/default/admin/groups/edit.html.tmpl +++ b/template/en/default/admin/groups/edit.html.tmpl @@ -214,6 +214,7 @@ + Back to the group list. diff --git a/template/en/default/admin/keywords/confirm-delete.html.tmpl b/template/en/default/admin/keywords/confirm-delete.html.tmpl index 89123e2bf..0d68524d7 100755 --- a/template/en/default/admin/keywords/confirm-delete.html.tmpl +++ b/template/en/default/admin/keywords/confirm-delete.html.tmpl @@ -45,6 +45,7 @@ + diff --git a/template/en/default/admin/keywords/create.html.tmpl b/template/en/default/admin/keywords/create.html.tmpl index 103aa03b2..45d97819e 100755 --- a/template/en/default/admin/keywords/create.html.tmpl +++ b/template/en/default/admin/keywords/create.html.tmpl @@ -51,6 +51,7 @@ +

Edit other keywords.

diff --git a/template/en/default/admin/keywords/edit.html.tmpl b/template/en/default/admin/keywords/edit.html.tmpl index 0d3beaf33..81f072b8b 100755 --- a/template/en/default/admin/keywords/edit.html.tmpl +++ b/template/en/default/admin/keywords/edit.html.tmpl @@ -66,6 +66,7 @@ +

Edit other keywords.

diff --git a/template/en/default/admin/milestones/confirm-delete.html.tmpl b/template/en/default/admin/milestones/confirm-delete.html.tmpl index 1667af3b7..b1f893ffd 100644 --- a/template/en/default/admin/milestones/confirm-delete.html.tmpl +++ b/template/en/default/admin/milestones/confirm-delete.html.tmpl @@ -90,6 +90,7 @@ + [% PROCESS admin/milestones/footer.html.tmpl %] diff --git a/template/en/default/admin/milestones/create.html.tmpl b/template/en/default/admin/milestones/create.html.tmpl index 8dd23e3de..edace52bf 100644 --- a/template/en/default/admin/milestones/create.html.tmpl +++ b/template/en/default/admin/milestones/create.html.tmpl @@ -49,7 +49,7 @@ - +

diff --git a/template/en/default/admin/milestones/edit.html.tmpl b/template/en/default/admin/milestones/edit.html.tmpl index f216166b1..c7aeb031a 100644 --- a/template/en/default/admin/milestones/edit.html.tmpl +++ b/template/en/default/admin/milestones/edit.html.tmpl @@ -55,7 +55,7 @@ - +

diff --git a/template/en/default/admin/params/editparams.html.tmpl b/template/en/default/admin/params/editparams.html.tmpl index ef379e75c..ce5442b3a 100644 --- a/template/en/default/admin/params/editparams.html.tmpl +++ b/template/en/default/admin/params/editparams.html.tmpl @@ -99,6 +99,7 @@ [% PROCESS admin/params/common.html.tmpl panel = current_panel %] + diff --git a/template/en/default/admin/products/confirm-delete.html.tmpl b/template/en/default/admin/products/confirm-delete.html.tmpl index 75aeb623a..84f8da569 100644 --- a/template/en/default/admin/products/confirm-delete.html.tmpl +++ b/template/en/default/admin/products/confirm-delete.html.tmpl @@ -263,6 +263,7 @@ + diff --git a/template/en/default/admin/products/create.html.tmpl b/template/en/default/admin/products/create.html.tmpl index fd1ed34cc..5fb7d8bd1 100644 --- a/template/en/default/admin/products/create.html.tmpl +++ b/template/en/default/admin/products/create.html.tmpl @@ -57,6 +57,7 @@ + diff --git a/template/en/default/admin/products/edit.html.tmpl b/template/en/default/admin/products/edit.html.tmpl index 105ec6e74..0371e3343 100644 --- a/template/en/default/admin/products/edit.html.tmpl +++ b/template/en/default/admin/products/edit.html.tmpl @@ -132,6 +132,7 @@ versions: + diff --git a/template/en/default/admin/products/groupcontrol/edit.html.tmpl b/template/en/default/admin/products/groupcontrol/edit.html.tmpl index 174d15869..32b5e9d8c 100644 --- a/template/en/default/admin/products/groupcontrol/edit.html.tmpl +++ b/template/en/default/admin/products/groupcontrol/edit.html.tmpl @@ -31,6 +31,7 @@

+ diff --git a/template/en/default/admin/settings/edit.html.tmpl b/template/en/default/admin/settings/edit.html.tmpl index 9ca9226e7..8881fc3dc 100644 --- a/template/en/default/admin/settings/edit.html.tmpl +++ b/template/en/default/admin/settings/edit.html.tmpl @@ -85,6 +85,7 @@ page, and the Default Value will automatically apply to everyone. + diff --git a/template/en/default/admin/users/confirm-delete.html.tmpl b/template/en/default/admin/users/confirm-delete.html.tmpl index 6f0a565ca..4c348fa10 100644 --- a/template/en/default/admin/users/confirm-delete.html.tmpl +++ b/template/en/default/admin/users/confirm-delete.html.tmpl @@ -448,6 +448,7 @@ + [% INCLUDE listselectionhiddenfields %]

diff --git a/template/en/default/admin/users/create.html.tmpl b/template/en/default/admin/users/create.html.tmpl index 4cef3884a..66cdd91e0 100644 --- a/template/en/default/admin/users/create.html.tmpl +++ b/template/en/default/admin/users/create.html.tmpl @@ -41,6 +41,7 @@

+ [% INCLUDE listselectionhiddenfields %]

diff --git a/template/en/default/admin/users/edit.html.tmpl b/template/en/default/admin/users/edit.html.tmpl index b0cc21082..61778ad93 100644 --- a/template/en/default/admin/users/edit.html.tmpl +++ b/template/en/default/admin/users/edit.html.tmpl @@ -106,6 +106,7 @@ + [% INCLUDE listselectionhiddenfields %] or + [% END %] diff --git a/template/en/default/admin/versions/create.html.tmpl b/template/en/default/admin/versions/create.html.tmpl index 44d43cab4..c421ab12b 100644 --- a/template/en/default/admin/versions/create.html.tmpl +++ b/template/en/default/admin/versions/create.html.tmpl @@ -43,7 +43,7 @@ - +

diff --git a/template/en/default/admin/versions/edit.html.tmpl b/template/en/default/admin/versions/edit.html.tmpl index 7f0de2677..cfdfd4981 100644 --- a/template/en/default/admin/versions/edit.html.tmpl +++ b/template/en/default/admin/versions/edit.html.tmpl @@ -48,8 +48,8 @@ + -

diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl index d9a3e1913..0c37234ff 100644 --- a/template/en/default/filterexceptions.pl +++ b/template/en/default/filterexceptions.pl @@ -512,7 +512,6 @@ 'admin/flag-type/list.html.tmpl' => [ 'type.id', - 'type.flag_count', ], diff --git a/template/en/default/whine/schedule.html.tmpl b/template/en/default/whine/schedule.html.tmpl index c7370a3e1..28fceabab 100644 --- a/template/en/default/whine/schedule.html.tmpl +++ b/template/en/default/whine/schedule.html.tmpl @@ -82,6 +82,7 @@ + [% FOREACH event = events %] -- cgit v1.2.3-24-g4f1b