From d9041c3f97422fb377c3e8d20129f4ef8517f833 Mon Sep 17 00:00:00 2001
From: "reed%reedloden.com" <>
Date: Mon, 30 Mar 2009 21:02:33 +0000
Subject: Bug 476603 - "[SECURITY] Editing attachments doesn't have any CSRF
protection" [p=reed r=LpSolit a=LpSolit]
---
template/en/default/attachment/edit.html.tmpl | 3 +++
template/en/default/bug/show.xml.tmpl | 10 +++++++---
2 files changed, 10 insertions(+), 3 deletions(-)
(limited to 'template')
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index f461e9e91..95c90871f 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -171,6 +171,9 @@
+ [% IF user.id %]
+
+ [% END %]
diff --git a/template/en/default/bug/show.xml.tmpl b/template/en/default/bug/show.xml.tmpl
index 8fc6ddb3f..cd7f44eff 100644
--- a/template/en/default/bug/show.xml.tmpl
+++ b/template/en/default/bug/show.xml.tmpl
@@ -103,9 +103,13 @@
[% a.contenttype FILTER xml %]
[% a.datasize FILTER xml %]
[% a.attacher.email FILTER email FILTER xml %]
- [% IF displayfields.attachmentdata %]
- [% a.data FILTER base64 %]
- [% END %]
+ [%# This is here so automated clients can still use attachment.cgi %]
+ [% IF displayfields.token && user.id %]
+ [% issue_hash_token([a.id, a.modification_time]) FILTER xml %]
+ [% END %]
+ [% IF displayfields.attachmentdata %]
+ [% a.data FILTER base64 %]
+ [% END %]
[% FOREACH flag = a.flags %]