Bug 1446431 - Allow Baseline scan to ignore forms that dont need CSRF Tokens

The data-no-csrf attribute is used to signify that a form is 'safe' (ie
doesn't actually make any permanent changes) and so doesn't need an
anti-csrf token.

diff --git a/template/en/default/bug/choose.html.tmpl b/template/en/default/bug/choose.html.tmpl
index 9009d38738c6b2d81503041669687241a6933ebd..16a76ff02db520138f8e2bf853f8a1bbd5eee62f 100644 (file)
--- a/template/en/default/bug/choose.html.tmpl
+++ b/template/en/default/bug/choose.html.tmpl
@@ -24,7 +24,7 @@
    title = "Search by $terms.bug number"
  %]
 
-<form method="get" action="show_bug.cgi">
+<form method="get" action="show_bug.cgi" data-no-csrf>
   <p>
     You may find a single [% terms.bug %] by entering its [% terms.bug %] id here:
     <input name="id" size="6">

diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl
index ded28d1860235518ebf452578f8c0ca32b0dd11b..1d304ad04cf1b91548c9a7c75225f70408e62386 100644 (file)
--- a/template/en/default/global/header.html.tmpl
+++ b/template/en/default/global/header.html.tmpl
@@ -244,7 +244,7 @@
 <header id="header" role="banner">
   <div class="inner">
     <h1 id="header-title" class="title"><a href="./" title="Go to home page">[% terms.Bugzilla %]</a></h1>
-    <form role="search" id="header-search" class="quicksearch" action="buglist.cgi">
+    <form role="search" id="header-search" class="quicksearch" action="buglist.cgi" data-no-csrf>
       <section class="searchbox-outer dropdown" role="combobox" aria-expanded="false" aria-haspopup="listbox"
                aria-owns="header-search-dropdown">
         <h2>Quick Search</h2>

diff --git a/template/en/default/index.html.tmpl b/template/en/default/index.html.tmpl
index 3c42ce71eff4b6f438ff88ad30e36a516ee786c2..97659e6a85895e27b9a897a38af5b4333158bfce 100644 (file)
--- a/template/en/default/index.html.tmpl
+++ b/template/en/default/index.html.tmpl
@@ -53,7 +53,7 @@
              href="?GoAheadAndLogIn=1"><span>Log In</span></a>
            [% END %]
 
-        <form id="quicksearchForm" name="quicksearchForm" action="buglist.cgi">
+        <form id="quicksearchForm" name="quicksearchForm" action="buglist.cgi" data-no-csrf>
           <div>
             <input id="quicksearch_main" type="text" name="quicksearch" autofocus
               placeholder="Enter [% terms.abug %] number or some search terms"

diff --git a/template/en/default/list/change-columns.html.tmpl b/template/en/default/list/change-columns.html.tmpl
index 8edd21aee550aca373f5e141206ea7c95690e840..d1aada24c40db51aa498fa67a31c324f6ca80e66 100644 (file)
--- a/template/en/default/list/change-columns.html.tmpl
+++ b/template/en/default/list/change-columns.html.tmpl
@@ -51,7 +51,7 @@
   [% available_columns.$column_desc = column %]
 [% END %]
 
-<form name="changecolumns" action="colchange.cgi" onsubmit="change_submit();">
+<form name="changecolumns" action="colchange.cgi" onsubmit="change_submit();" data-no-csrf>
   <input type="hidden" name="rememberedquery" value="[% buffer FILTER html %]">
     <table>
       <tr>

diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl
index c17512c790c96e8b9782076a857cad0f25550189..8fcb8a7acfc877e319675cce133ddaed778c24c3 100644 (file)
--- a/template/en/default/list/list.html.tmpl
+++ b/template/en/default/list/list.html.tmpl
@@ -175,14 +175,14 @@
   <tr>
     [% IF bugs.size > 0 %]
       <td valign="middle" class="bz_query_buttons">
-        <form method="post" action="show_bug.cgi">
+        <form method="post" action="show_bug.cgi" data-no-csrf>
           [% FOREACH id = buglist %]
             <input type="hidden" name="id" value="[% id FILTER html %]">
           [% END %]
           <input type="hidden" name="format" value="multiple">
           <input type="submit" id="long_format" value="Long Format">
         </form>
-        <form method="post" action="show_bug.cgi">
+        <form method="post" action="show_bug.cgi" data-no-csrf>
             <input type="hidden" name="ctype" value="xml">
           [% FOREACH id = buglist %]
             <input type="hidden" name="id" value="[% id FILTER html %]">
@@ -192,7 +192,7 @@
         </form>
 
         [% IF user.is_timetracker %]
-          <form method="post" action="summarize_time.cgi">
+          <form method="post" action="summarize_time.cgi" data-no-csrf>
             <input type="hidden" name="id" value="[% buglist_joined FILTER html %]">
             <input type="submit" id="timesummary" value="Time Summary">
           </form>

diff --git a/template/en/default/pages/quicksearch.html.tmpl b/template/en/default/pages/quicksearch.html.tmpl
index 759f4ea8c04a30c7ebdebcec2209ab6b2d286086..28062b5357264ad6a4d3493a43482ac5c722fb0b 100644 (file)
--- a/template/en/default/pages/quicksearch.html.tmpl
+++ b/template/en/default/pages/quicksearch.html.tmpl
@@ -31,7 +31,7 @@
 <p>Type in one or more words (or pieces of words) to search for:</p>
 
 <form name="f" action="buglist.cgi" method="get"
-      class='quicksearch_check_empty'>
+      class='quicksearch_check_empty' data-no-csrf>
   <input type="text" size="40" name="quicksearch">
   <input type="submit" value="Search" id="find">
 </form>

diff --git a/template/en/default/reports/duplicates.html.tmpl b/template/en/default/reports/duplicates.html.tmpl
index ff1c271fe7343c6c38418c42322238132c044c6e..ed3e7b8ac43ef258e707c2946d94f730318365c9 100644 (file)
--- a/template/en/default/reports/duplicates.html.tmpl
+++ b/template/en/default/reports/duplicates.html.tmpl
@@ -60,7 +60,7 @@
 
 <h3 id="params">Change Parameters</h3>
 
-<form method="get" action="duplicates.cgi">
+<form method="get" action="duplicates.cgi" data-no-csrf>
   <input type="hidden" name="sortby" value="[% sortby FILTER html %]">
   <input type="hidden" name="reverse" value="[% reverse FILTER html %]">
   <input type="hidden" name="bug_id" value="[% bug_ids_string FILTER html %]">
@@ -127,7 +127,7 @@
   <input type="submit" id="change" value="Change">
 </form>
 
-<form method="post" action="buglist.cgi">
+<form method="post" action="buglist.cgi" data-no-csrf>
   <input type="hidden" name="bug_id" value="[% bug_ids_string FILTER html %]">
   Or just give this to me as a <input type="submit" id="list" 
                                       value="[% terms.bug %] list">.

diff --git a/template/en/default/reports/old-charts.html.tmpl b/template/en/default/reports/old-charts.html.tmpl
index 4bdc0cffa3f41bb2093238a1796b3d51447b7ecb..38e17121b35626201010c7631e1d6367e2086d7a 100644 (file)
--- a/template/en/default/reports/old-charts.html.tmpl
+++ b/template/en/default/reports/old-charts.html.tmpl
@@ -32,7 +32,7 @@
     <img src="[% url_image FILTER html %]">
     <br clear="both">
   [% ELSE %]
-    <form id="choose_product" method="get" action="reports.cgi">
+    <form id="choose_product" method="get" action="reports.cgi" data-no-csrf>
       <table border="1" cellpadding="5" cellspacing="2">
         <tr>
           <th>Product:</th>

diff --git a/template/en/default/search/search-advanced.html.tmpl b/template/en/default/search/search-advanced.html.tmpl
index 60f47a916fa157b399f0499de83c2cca6c6d5031..b519067741f9e1c97fac6ccf78a940d3ec54c844 100644 (file)
--- a/template/en/default/search/search-advanced.html.tmpl
+++ b/template/en/default/search/search-advanced.html.tmpl
@@ -60,7 +60,7 @@ function remove_token() {
 <p id="search_help">Hover your mouse over each field label to get help for that field.</p>
 
 <form method="post" action="buglist.cgi" name="queryform" id="queryform"
-      onsubmit="remove_token()">
+      onsubmit="remove_token()" data-no-csrf>
 
 [% PROCESS search/form.html.tmpl %]
 

diff --git a/template/en/default/search/search-google.html.tmpl b/template/en/default/search/search-google.html.tmpl
index ad45cce94a4af34b19da81e210864d65d741ecec..7fdc1daaa102cd671d60a4fcadc4d28fb6dd61d5 100644 (file)
--- a/template/en/default/search/search-google.html.tmpl
+++ b/template/en/default/search/search-google.html.tmpl
@@ -31,7 +31,7 @@
   Google only indexes publicly viewable [% terms.bugs %] and all may not be represented.
 <p>
 
-<form method="get" action="https://www.google.com/search">
+<form method="get" action="https://www.google.com/search" data-no-csrf>
 <input type="hidden" name="sitesearch" value="bugzilla.mozilla.org">
   <nobr>
     <input type="text" name="q" size="60" maxlength="255" value="">

diff --git a/template/en/default/search/search-specific.html.tmpl b/template/en/default/search/search-specific.html.tmpl
index 3b4cc35149a4d69ad8fa3e488c4be21e8cd6893f..be314101f694a4044da2f0a18834ac7645106037 100644 (file)
--- a/template/en/default/search/search-specific.html.tmpl
+++ b/template/en/default/search/search-specific.html.tmpl
@@ -39,7 +39,7 @@ For example, if the [% terms.bug %] you are looking for is a browser crash when
 for "crash secure SSL flash".
 </p>
 
-<form name="queryform" method="get" action="buglist.cgi">
+<form name="queryform" method="get" action="buglist.cgi" data-no-csrf>
 <input type="hidden" name="query_format" value="specific">
 <input type="hidden" name="order" value="relevance desc">