Bug 621105 - [SECURITY] Voting lacks CSRF protection

author David Lawrence <dlawrence@mozilla.com>

Mon, 24 Jan 2011 19:13:43 +0000 (14:13 -0500)

committer David Lawrence <dlawrence@mozilla.com>

Mon, 24 Jan 2011 19:13:43 +0000 (14:13 -0500)
author David Lawrence <dlawrence@mozilla.com>
Mon, 24 Jan 2011 19:13:43 +0000 (14:13 -0500)
committer David Lawrence <dlawrence@mozilla.com>
Mon, 24 Jan 2011 19:13:43 +0000 (14:13 -0500)
diff --git a/Bugzilla/Install/Localconfig.pm b/Bugzilla/Install/Localconfig.pm

index 8857b7521cc8cc69208746a703ad6f92853202ed..9ea73ede4baf0edcffddf6f27946c3f88f2f4be0 100644 (file)
--- a/Bugzilla/Install/Localconfig.pm
+++ b/Bugzilla/Install/Localconfig.pm
@@ -251,7 +251,7 @@ EOT
              elsif (defined @$glob) {
                  $localconfig{$var} = \@$glob;
              }
-            elsif (defined %$glob) {
+            elsif (%$glob) {
                  $localconfig{$var} = \%$glob;
              }
          }
diff --git a/template/en/default/bug/votes/delete-all.html.tmpl b/template/en/default/bug/votes/delete-all.html.tmpl

index 41b75123dd5011614ce54bbb9a7575dcfe257032..f6382b6d34613b3cf692f8c6adec953b0c2686df 100644 (file)
--- a/template/en/default/bug/votes/delete-all.html.tmpl
+++ b/template/en/default/bug/votes/delete-all.html.tmpl
@@ -35,6 +35,7 @@
  
  <form action="votes.cgi" method="post">
      <input type="hidden" name="action" value="vote">
+  <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]"> 
    <p>
      <input type="radio" name="delete_all_votes" value="1">
      Yes, delete all my votes
diff --git a/template/en/default/bug/votes/list-for-user.html.tmpl b/template/en/default/bug/votes/list-for-user.html.tmpl

index 50dff7d5ea4ea811acc3536e32ae4aab2ec4449e..9629b8e5864b8a69afc23aa9857c901becf0f062 100644 (file)
--- a/template/en/default/bug/votes/list-for-user.html.tmpl
+++ b/template/en/default/bug/votes/list-for-user.html.tmpl
@@ -74,6 +74,7 @@
  [% IF products.size %]
    <form name="voting_form" method="post" action="votes.cgi">
      <input type="hidden" name="action" value="vote">
+    <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]">
      <table cellspacing="4">
        <tr>
          <td></td>
diff --git a/votes.cgi b/votes.cgi

index fb6b72a8739794272d0c65e01e0056ec282eba25..033cf249e41a5f7357de8b8b23fc9ef9a8d636e7 100755 (executable)
--- a/votes.cgi
+++ b/votes.cgi
@@ -34,6 +34,7 @@ use Bugzilla::Error;
  use Bugzilla::Bug;
  use Bugzilla::User;
  use Bugzilla::Product;
+use Bugzilla::Token;
  
  use List::Util qw(min);
  
@@ -257,6 +258,9 @@ sub record_votes {
          || ThrowUserError("votes_must_be_nonnegative");
      }
  
+    my $token = $cgi->param('token');
+    check_hash_token($token, ['vote']);
+
      ############################################################################
      # End Data/Security Validation
      ############################################################################
author	David Lawrence <dlawrence@mozilla.com>
	Mon, 24 Jan 2011 19:13:43 +0000 (14:13 -0500)
committer	David Lawrence <dlawrence@mozilla.com>
	Mon, 24 Jan 2011 19:13:43 +0000 (14:13 -0500)
Bugzilla/Install/Localconfig.pm		patch \| blob \| blame \| history
template/en/default/bug/votes/delete-all.html.tmpl		patch \| blob \| blame \| history
template/en/default/bug/votes/list-for-user.html.tmpl		patch \| blob \| blame \| history
votes.cgi		patch \| blob \| blame \| history