From: lpsolit%gmail.com <>
Date: Mon, 2 Feb 2009 19:25:58 +0000 (+0000)
Subject: Bug 472362: [SECURITY] Malicious attachments can change your user settings (user... 
X-Git-Tag: bugzilla-2.22.7~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=412e4d815afa93d300a749a4562d6e7ab4b4416f;p=thirdparty%2Fbugzilla.git

Bug 472362: [SECURITY] Malicious attachments can change your user settings (user + email prefs, shared searches) - Patch by Frédéric Buclin <LpSolit@gmail.com> r=wicked a=LpSolit
---

diff --git a/template/en/default/account/prefs/prefs.html.tmpl b/template/en/default/account/prefs/prefs.html.tmpl
index 9cb66f7bd7..a753bffc5f 100644
--- a/template/en/default/account/prefs/prefs.html.tmpl
+++ b/template/en/default/account/prefs/prefs.html.tmpl
@@ -83,6 +83,7 @@
 [% IF current_tab.saveable %]
   <form name="userprefsform" method="post" action="userprefs.cgi">
     <input type="hidden" name="tab" value="[% current_tab.name %]">
+    <input type="hidden" name="token" value="[% token FILTER html %]">
 [% END %]
 
 [% PROCESS "account/prefs/${current_tab.name}.html.tmpl" 
diff --git a/userprefs.cgi b/userprefs.cgi
index 3dc68121ef..7e21dcb2cb 100755
--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -443,6 +443,9 @@ trick_taint($current_tab_name);
 
 $vars->{'current_tab_name'} = $current_tab_name;
 
+my $token = $cgi->param('token');
+check_token_data($token, 'edit_user_prefs') if $cgi->param('dosave');
+
 # Do any saving, and then display the current tab.
 SWITCH: for ($current_tab_name) {
     /^account$/ && do {
@@ -473,6 +476,11 @@ SWITCH: for ($current_tab_name) {
                    { current_tab_name => $current_tab_name });
 }
 
+delete_token($token) if $cgi->param('dosave');
+if ($current_tab_name ne 'permissions') {
+    $vars->{'token'} = issue_session_token('edit_user_prefs');
+}
+
 # Generate and return the UI (HTML page) from the appropriate template.
 print $cgi->header();
 $template->process("account/prefs/prefs.html.tmpl", $vars)