Bug 621105 - [SECURITY] Voting lacks CSRF protection

author David Lawrence <dlawrence@mozilla.com>

Mon, 24 Jan 2011 19:22:37 +0000 (14:22 -0500)

committer David Lawrence <dlawrence@mozilla.com>

Mon, 24 Jan 2011 19:22:37 +0000 (14:22 -0500)
author David Lawrence <dlawrence@mozilla.com>
Mon, 24 Jan 2011 19:22:37 +0000 (14:22 -0500)
committer David Lawrence <dlawrence@mozilla.com>
Mon, 24 Jan 2011 19:22:37 +0000 (14:22 -0500)
diff --git a/template/en/default/bug/votes/delete-all.html.tmpl b/template/en/default/bug/votes/delete-all.html.tmpl

index 41b75123dd5011614ce54bbb9a7575dcfe257032..f6382b6d34613b3cf692f8c6adec953b0c2686df 100644 (file)
--- a/template/en/default/bug/votes/delete-all.html.tmpl
+++ b/template/en/default/bug/votes/delete-all.html.tmpl
@@ -35,6 +35,7 @@
  
  <form action="votes.cgi" method="post">
      <input type="hidden" name="action" value="vote">
+  <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]"> 
    <p>
      <input type="radio" name="delete_all_votes" value="1">
      Yes, delete all my votes
diff --git a/template/en/default/bug/votes/list-for-user.html.tmpl b/template/en/default/bug/votes/list-for-user.html.tmpl

index 2f97616ed69324a056fdff62ea1fa4a6fad81f72..f478fa02ffcd67192721eb2e39b3089b90a990f9 100644 (file)
--- a/template/en/default/bug/votes/list-for-user.html.tmpl
+++ b/template/en/default/bug/votes/list-for-user.html.tmpl
@@ -74,6 +74,7 @@
  [% IF products.size %]
    <form name="voting_form" method="post" action="votes.cgi">
      <input type="hidden" name="action" value="vote">
+    <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]">
      <table cellspacing="4">
        <tr>
          <td></td>
diff --git a/votes.cgi b/votes.cgi

index b77a7a4f38410fa7d7016169f275a04d3bc76358..e4eb3b0385acfd387d882532220241b12ab275bb 100755 (executable)
--- a/votes.cgi
+++ b/votes.cgi
@@ -35,6 +35,7 @@ use Bugzilla::Bug;
  use Bugzilla::BugMail;
  use Bugzilla::User;
  use Bugzilla::Product;
+use Bugzilla::Token;
  
  use List::Util qw(min);
  
@@ -264,6 +265,9 @@ sub record_votes {
          || ThrowUserError("votes_must_be_nonnegative");
      }
  
+    my $token = $cgi->param('token');
+    check_hash_token($token, ['vote']);
+
      ############################################################################
      # End Data/Security Validation
      ############################################################################
author	David Lawrence <dlawrence@mozilla.com>
	Mon, 24 Jan 2011 19:22:37 +0000 (14:22 -0500)
committer	David Lawrence <dlawrence@mozilla.com>
	Mon, 24 Jan 2011 19:22:37 +0000 (14:22 -0500)
template/en/default/bug/votes/delete-all.html.tmpl		patch \| blob \| blame \| history
template/en/default/bug/votes/list-for-user.html.tmpl		patch \| blob \| blame \| history
votes.cgi		patch \| blob \| blame \| history