]> git.ipfire.org Git - thirdparty/bugzilla.git/commitdiff
projects / thirdparty / bugzilla.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8e73771)
Bug 621105 - [SECURITY] Voting lacks CSRF protection
authorDavid Lawrence <dlawrence@mozilla.com>
Mon, 24 Jan 2011 19:33:04 +0000 (14:33 -0500)
committerDavid Lawrence <dlawrence@mozilla.com>
Mon, 24 Jan 2011 19:33:04 +0000 (14:33 -0500)
r=mkanat,a=LpSolit

extensions/Voting/Extension.pm patch | blob | blame | history
extensions/Voting/template/en/default/pages/voting/user.html.tmpl patch | blob | blame | history
extensions/Voting/template/en/default/voting/delete-all.html.tmpl patch | blob | blame | history

diff --git a/extensions/Voting/Extension.pm b/extensions/Voting/Extension.pm
index d94ff84300ff97997015de4098a84e97f2409fac..8417e0ec3579acb393df4dcad73d6094f2b68e92 100644 (file)
--- a/extensions/Voting/Extension.pm
+++ b/extensions/Voting/Extension.pm
@@ -36,6 +36,7 @@ use Bugzilla::Field;
 use Bugzilla::Mailer;
 use Bugzilla::User;
 use Bugzilla::Util qw(detaint_natural);
+use Bugzilla::Token;
 
 use List::Util qw(min);
 
@@ -529,6 +530,9 @@ sub _update_votes {
         || ThrowUserError("voting_must_be_nonnegative");
     }
 
+    my $token = $cgi->param('token');
+    check_hash_token($token, ['vote']);
+
     ############################################################################
     # End Data/Security Validation
     ############################################################################
diff --git a/extensions/Voting/template/en/default/pages/voting/user.html.tmpl b/extensions/Voting/template/en/default/pages/voting/user.html.tmpl
index 8000792243315c01809727a61b8d71f4424b8467..c2ee2ae7af37f282a05bc44a4e5b5a0e12e319f9 100644 (file)
--- a/extensions/Voting/template/en/default/pages/voting/user.html.tmpl
+++ b/extensions/Voting/template/en/default/pages/voting/user.html.tmpl
@@ -74,6 +74,7 @@
 [% IF products.size %]
   <form name="voting_form" method="post" action="page.cgi?id=voting/user.html">
     <input type="hidden" name="action" value="vote">
+    <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]">
     <table cellspacing="4">
       <tr>
         <td></td>
diff --git a/extensions/Voting/template/en/default/voting/delete-all.html.tmpl b/extensions/Voting/template/en/default/voting/delete-all.html.tmpl
index 82ddc35961adaf39559e15f8a44b65efcd77c8ac..f0d3b7e13767e6fa2f738a239238c90f0f947c0c 100644 (file)
--- a/extensions/Voting/template/en/default/voting/delete-all.html.tmpl
+++ b/extensions/Voting/template/en/default/voting/delete-all.html.tmpl
@@ -35,6 +35,7 @@
 
 <form action="page.cgi?id=voting/user.html" method="post">
     <input type="hidden" name="action" value="vote">
+    <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]">
   <p>
     <input type="radio" name="delete_all_votes" value="1">
     Yes, delete all my votes
Mirror of https://github.com/bugzilla/bugzilla.git