From: David Lawrence <dkl@mozilla.com>
Date: Mon, 24 Jan 2011 16:58:48 +0000 (+0100)
Subject: Bug 621090: [SECURITY] Adding saved searches lacks CSRF protection
X-Git-Tag: bugzilla-4.0rc2~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=40ebd15bdc471b9ac51fce600ac4cb55ef47ca5a;p=thirdparty%2Fbugzilla.git

Bug 621090: [SECURITY] Adding saved searches lacks CSRF protection
r=mkanat a=justdave
---

diff --git a/buglist.cgi b/buglist.cgi
index 1b00148f02..788f28c956 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -504,6 +504,8 @@ elsif (($cmdtype eq "doit") && defined $cgi->param('remtype')) {
         my $query_name = $cgi->param('newqueryname');
         my $new_query = $cgi->param('newquery');
         my $query_type = QUERY_LIST;
+        my $token = $cgi->param('token');
+        check_hash_token($token, ['savedsearch']);
         # If list_of_bugs is true, we are adding/removing individual bugs
         # to a saved search. We get the existing list of bug IDs (if any)
         # and add/remove the passed ones.
diff --git a/template/en/default/global/per-bug-queries.html.tmpl b/template/en/default/global/per-bug-queries.html.tmpl
index 3c62e35f54..a7c073ba1f 100644
--- a/template/en/default/global/per-bug-queries.html.tmpl
+++ b/template/en/default/global/per-bug-queries.html.tmpl
@@ -63,6 +63,7 @@
         <input type="hidden" name="cmdtype" value="doit">
         <input type="hidden" name="remtype" value="asnamed">
         <input type="hidden" name="list_of_bugs" value="1">
+        <input type="hidden" name="token" value="[% issue_hash_token(['savedsearch']) FILTER html %]">
         <select id="lob_action" name="action" onchange="update_text();">
           <option value="add">Add</option>
           [% IF lists_of_bugs.size %]
diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl
index aebfb1d495..8d87b5c707 100644
--- a/template/en/default/list/list.html.tmpl
+++ b/template/en/default/list/list.html.tmpl
@@ -253,6 +253,7 @@
                  value="[% urlquerypart FILTER html %][% "&order=$qorder" FILTER html IF order %]">
           <input type="hidden" name="cmdtype" value="doit">
           <input type="hidden" name="remtype" value="asnamed">
+          <input type="hidden" name="token" value="[% issue_hash_token(['savedsearch']) FILTER html %]">
           <input type="text" id="save_newqueryname" name="newqueryname" size="20"
                  value="[% defaultsavename FILTER html %]"> 
         </form>