Bug 754673 - CSRF vulnerability in query.cgi allows possible unauthorized use of...

[r=LpSolit a=LpSolit]

diff --git a/query.cgi b/query.cgi
index b3b9aa443e0f3b5b257a69d403bbf42dbe09fffe..bfb79e52c97cd00b86b4878c283036b5fe648f67 100755 (executable)
--- a/query.cgi
+++ b/query.cgi
@@ -39,6 +39,7 @@ use Bugzilla::Product;
 use Bugzilla::Keyword;
 use Bugzilla::Field;
 use Bugzilla::Install::Util qw(vers_cmp);
+use Bugzilla::Token;
 
 my $cgi = Bugzilla->cgi;
 my $dbh = Bugzilla->dbh;
@@ -51,6 +52,8 @@ my $userid = $user->id;
 
 if ($cgi->param('nukedefaultquery')) {
     if ($userid) {
+        my $token = $cgi->param('token');
+        check_hash_token($token, ['nukedefaultquery']);
         $dbh->do("DELETE FROM namedqueries" .
                  " WHERE userid = ? AND name = ?", 
                  undef, ($userid, DEFAULT_QUERY_NAME));

diff --git a/template/en/default/search/knob.html.tmpl b/template/en/default/search/knob.html.tmpl
index 17ff63a1045bb116654e007eed4ca32be8d96ba9..a50f6bd32626bc5b6a4c41f155a226647ae42c5a 100644 (file)
--- a/template/en/default/search/knob.html.tmpl
+++ b/template/en/default/search/knob.html.tmpl
@@ -79,7 +79,8 @@
         
 [% IF userdefaultquery %]
   <p>
-    <a href="query.cgi?nukedefaultquery=1">
+    <a href="query.cgi?nukedefaultquery=1&amp;token=
+       [%- issue_hash_token(['nukedefaultquery']) FILTER uri %]">
       Set my default search back to the system default</a>.
   </p>
 [% END %]