From d5d928102e575599296421f3334e9f8c82ae5292 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Mon, 2 Feb 2009 19:21:09 +0000
Subject: Bug 472362: [SECURITY] Malicious attachments can change your user
 settings (user + email prefs, shared searches) - Patch by Frédéric Buclin
 <LpSolit@gmail.com> r=wicked a=LpSolit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 userprefs.cgi | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'userprefs.cgi')

diff --git a/userprefs.cgi b/userprefs.cgi
index 085372bac..cffae38cc 100755
--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -517,6 +517,9 @@ trick_taint($current_tab_name);
 
 $vars->{'current_tab_name'} = $current_tab_name;
 
+my $token = $cgi->param('token');
+check_token_data($token, 'edit_user_prefs') if $cgi->param('dosave');
+
 # Do any saving, and then display the current tab.
 SWITCH: for ($current_tab_name) {
     /^account$/ && do {
@@ -547,6 +550,11 @@ SWITCH: for ($current_tab_name) {
                    { current_tab_name => $current_tab_name });
 }
 
+delete_token($token) if $cgi->param('dosave');
+if ($current_tab_name ne 'permissions') {
+    $vars->{'token'} = issue_session_token('edit_user_prefs');
+}
+
 # Generate and return the UI (HTML page) from the appropriate template.
 print $cgi->header();
 $template->process("account/prefs/prefs.html.tmpl", $vars)
-- 
cgit v1.2.3-24-g4f1b