From aefdf269ff52f02c16a350329f485c041479507e Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Mon, 6 Aug 2012 23:41:47 +0200
Subject: Bug 706271: CSRF vulnerability in token.cgi allows possible
 unauthorized password reset e-mail request r=reed a=LpSolit

---
 token.cgi | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'token.cgi')

diff --git a/token.cgi b/token.cgi
index d5ebad78d..62f1f5121 100755
--- a/token.cgi
+++ b/token.cgi
@@ -114,6 +114,11 @@ sub requestChangePassword {
     Bugzilla->user->authorizer->can_change_password
       || ThrowUserError("password_change_requests_not_allowed");
 
+    # Check the hash token to make sure this user actually submitted
+    # the forgotten password form.
+    my $token = $cgi->param('token');
+    check_hash_token($token, ['reqpw']);
+
     my $login_name = $cgi->param('loginname')
       or ThrowUserError("login_needed_for_password_change");
 
-- 
cgit v1.2.3-24-g4f1b