From: Frédéric Buclin <LpSolit@gmail.com>
Date: Mon, 24 Jan 2011 17:07:31 +0000 (+0100)
Subject: Bug 621107: [SECURITY] Sanity checking lacks CSRF protection
X-Git-Tag: bugzilla-4.0rc2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d6bfdca96894f1e317f2b68ca5133c170b2d1230;p=thirdparty%2Fbugzilla.git

Bug 621107: [SECURITY] Sanity checking lacks CSRF protection
r=dkl a=LpSolit
---

diff --git a/extensions/Example/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl b/extensions/Example/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl
index 8a825e57ce..0ad1f0be5a 100644
--- a/extensions/Example/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl
+++ b/extensions/Example/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl
@@ -27,7 +27,8 @@
     <a href="editusers.cgi?id=[% userid FILTER none %]">Edit this user</a>.
   [% END %]
 [% ELSIF san_tag == "example_check_au_user_prompt" %]
-  <a href="sanitycheck.cgi?example_repair_au_user=1">Fix these users</a>.
+  <a href="sanitycheck.cgi?example_repair_au_user=1&amp;token=
+     [%- issue_hash_token(['sanitycheck']) FILTER url_quote %]">Fix these users</a>.
 [% ELSIF san_tag == "example_repair_au_user_start" %]
   <em>EXAMPLE PLUGIN</em> - OK, would now make users Australian.
 [% ELSIF san_tag == "example_repair_au_user_end" %]
diff --git a/extensions/Voting/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl b/extensions/Voting/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl
index afb81d34c4..f030922b2e 100644
--- a/extensions/Voting/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl
+++ b/extensions/Voting/template/en/default/hook/admin/sanitycheck/messages-statuses.html.tmpl
@@ -19,7 +19,8 @@
   #%]
 
 [% IF san_tag == "voting_cache_rebuild_fix" %]
-    <a href="sanitycheck.cgi?rebuild_vote_cache=1">Click here to
+    <a href="sanitycheck.cgi?rebuild_vote_cache=1&amp;token=
+       [%- issue_hash_token(['sanitycheck']) FILTER url_quote %]">Click here to
     rebuild the vote cache</a>
 
 [% ELSIF san_tag == "voting_cache_alert" %]
diff --git a/sanitycheck.cgi b/sanitycheck.cgi
index 63872bd499..bd022df73a 100755
--- a/sanitycheck.cgi
+++ b/sanitycheck.cgi
@@ -35,6 +35,7 @@ use Bugzilla::Error;
 use Bugzilla::Hook;
 use Bugzilla::Util;
 use Bugzilla::Status;
+use Bugzilla::Token;
 
 ###########################################################################
 # General subs
@@ -79,6 +80,15 @@ if (Bugzilla->usage_mode == USAGE_MODE_CMDLINE) {
 }
 else {
     $template = Bugzilla->template;
+
+    # Only check the token if we are running this script from the
+    # web browser and a parameter is passed to the script.
+    # XXX - Maybe these two parameters should be deleted once logged in?
+    $cgi->delete('GoAheadAndLogIn', 'Bugzilla_restrictlogin');
+    if (scalar($cgi->param())) {
+        my $token = $cgi->param('token');
+        check_hash_token($token, ['sanitycheck']);
+    }
 }
 my $vars = {};
 
diff --git a/template/en/default/admin/sanitycheck/messages.html.tmpl b/template/en/default/admin/sanitycheck/messages.html.tmpl
index 5c2b2feb1b..8d8cd3583a 100644
--- a/template/en/default/admin/sanitycheck/messages.html.tmpl
+++ b/template/en/default/admin/sanitycheck/messages.html.tmpl
@@ -34,7 +34,8 @@
     [% errortext FILTER html %]: [% INCLUDE bug_list badbugs = badbugs %]
 
   [% ELSIF san_tag == "bug_check_repair" %]
-    <a href="sanitycheck.cgi?[% param FILTER url_quote %]=1">[% text FILTER html %]</a>.
+    <a href="sanitycheck.cgi?[% param FILTER url_quote %]=1&amp;token=
+       [%- issue_hash_token(['sanitycheck']) FILTER url_quote %]">[% text FILTER html %]</a>.
 
   [% ELSIF san_tag == "bug_check_creation_date" %]
     Checking for [% terms.bugs %] with no creation date (which makes them invisible).
@@ -136,11 +137,13 @@
     [% END %]
 
   [% ELSIF san_tag == "cross_check_attachment_has_references" %]
-    <a href="sanitycheck.cgi?remove_invalid_attach_references=1">Remove
+    <a href="sanitycheck.cgi?remove_invalid_attach_references=1&amp;token=
+       [%- issue_hash_token(['sanitycheck']) FILTER url_quote %]">Remove
     invalid references to non existent attachments.</a>
 
   [% ELSIF san_tag == "cross_check_bug_has_references" %]
-    <a href="sanitycheck.cgi?remove_invalid_bug_references=1">Remove
+    <a href="sanitycheck.cgi?remove_invalid_bug_references=1&amp;token=
+       [%- issue_hash_token(['sanitycheck']) FILTER url_quote %]">Remove
     invalid references to non existent [% terms.bugs %].</a>
 
   [% ELSIF san_tag == "double_cross_check_to" %]
@@ -186,7 +189,8 @@
     [%+ PROCESS bug_link bug_id = bug_id %].
 
   [% ELSIF san_tag == "flag_fix" %]
-    <a href="sanitycheck.cgi?remove_invalid_flags=1">Click
+    <a href="sanitycheck.cgi?remove_invalid_flags=1&amp;token=
+       [%- issue_hash_token(['sanitycheck']) FILTER url_quote %]">Click
     here to delete invalid flags</a>
 
   [% ELSIF san_tag == "group_control_map_entries_creation" %]
@@ -250,7 +254,8 @@
     half an hour: [% INCLUDE bug_list badbugs = badbugs %]
 
   [% ELSIF san_tag == "unsent_bugmail_fix" %]
-    <a href="sanitycheck.cgi?rescanallBugMail=1">Send these mails</a>.
+    <a href="sanitycheck.cgi?rescanallBugMail=1&amp;token=
+       [%- issue_hash_token(['sanitycheck']) FILTER url_quote %]">Send these mails</a>.
 
   [% ELSIF san_tag == "whines_obsolete_target_deletion_start" %]
     OK, now removing non-existent users/groups from whines.
@@ -268,7 +273,8 @@
     [% END %]
 
   [% ELSIF san_tag == "whines_obsolete_target_fix" %]
-    <a href="sanitycheck.cgi?remove_old_whine_targets=1">Click here to
+    <a href="sanitycheck.cgi?remove_old_whine_targets=1&amp;token=
+       [%- issue_hash_token(['sanitycheck']) FILTER url_quote %]">Click here to
     remove old users/groups</a>
 
   [% ELSE %]