Bug 621105 - [SECURITY] Voting lacks CSRF protection

author David Lawrence <dlawrence@mozilla.com>

Mon, 24 Jan 2011 19:20:21 +0000 (14:20 -0500)

committer David Lawrence <dlawrence@mozilla.com>

Mon, 24 Jan 2011 19:20:21 +0000 (14:20 -0500)
author David Lawrence <dlawrence@mozilla.com>
Mon, 24 Jan 2011 19:20:21 +0000 (14:20 -0500)
committer David Lawrence <dlawrence@mozilla.com>
Mon, 24 Jan 2011 19:20:21 +0000 (14:20 -0500)
diff --git a/template/en/default/bug/votes/delete-all.html.tmpl b/template/en/default/bug/votes/delete-all.html.tmpl

index 41b75123dd5011614ce54bbb9a7575dcfe257032..f6382b6d34613b3cf692f8c6adec953b0c2686df 100644 (file)
--- a/template/en/default/bug/votes/delete-all.html.tmpl
+++ b/template/en/default/bug/votes/delete-all.html.tmpl
@@ -35,6 +35,7 @@
  
  <form action="votes.cgi" method="post">
      <input type="hidden" name="action" value="vote">
+  <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]"> 
    <p>
      <input type="radio" name="delete_all_votes" value="1">
      Yes, delete all my votes
diff --git a/template/en/default/bug/votes/list-for-user.html.tmpl b/template/en/default/bug/votes/list-for-user.html.tmpl

index 50dff7d5ea4ea811acc3536e32ae4aab2ec4449e..9629b8e5864b8a69afc23aa9857c901becf0f062 100644 (file)
--- a/template/en/default/bug/votes/list-for-user.html.tmpl
+++ b/template/en/default/bug/votes/list-for-user.html.tmpl
@@ -74,6 +74,7 @@
  [% IF products.size %]
    <form name="voting_form" method="post" action="votes.cgi">
      <input type="hidden" name="action" value="vote">
+    <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]">
      <table cellspacing="4">
        <tr>
          <td></td>
diff --git a/votes.cgi b/votes.cgi

index 1c72431c45e7a8b3b8a0a853292a88ab60c1c2a6..de0cc0a48e4656289cd9ad9d8b703fa5ce6968f8 100755 (executable)
--- a/votes.cgi
+++ b/votes.cgi
@@ -34,6 +34,7 @@ use Bugzilla::Error;
  use Bugzilla::Bug;
  use Bugzilla::User;
  use Bugzilla::Product;
+use Bugzilla::Token;
  
  use List::Util qw(min);
  
@@ -263,6 +264,9 @@ sub record_votes {
          || ThrowUserError("votes_must_be_nonnegative");
      }
  
+    my $token = $cgi->param('token');
+    check_hash_token($token, ['vote']);
+
      ############################################################################
      # End Data/Security Validation
      ############################################################################
author	David Lawrence <dlawrence@mozilla.com>
	Mon, 24 Jan 2011 19:20:21 +0000 (14:20 -0500)
committer	David Lawrence <dlawrence@mozilla.com>
	Mon, 24 Jan 2011 19:20:21 +0000 (14:20 -0500)
template/en/default/bug/votes/delete-all.html.tmpl		patch \| blob \| blame \| history
template/en/default/bug/votes/list-for-user.html.tmpl		patch \| blob \| blame \| history
votes.cgi		patch \| blob \| blame \| history