From 412e4d815afa93d300a749a4562d6e7ab4b4416f Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Mon, 2 Feb 2009 19:25:58 +0000 Subject: [PATCH] =?utf8?q?Bug=20472362:=20[SECURITY]=20Malicious=20attachm?= =?utf8?q?ents=20can=20change=20your=20user=20settings=20(user=20+=20email?= =?utf8?q?=20prefs,=20shared=20searches)=20-=20Patch=20by=20Fr=C3=83=C2=A9?= =?utf8?q?d=C3=83=C2=A9ric=20Buclin=20=20r=3Dwicked=20a?= =?utf8?q?=3DLpSolit?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- template/en/default/account/prefs/prefs.html.tmpl | 1 + userprefs.cgi | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/template/en/default/account/prefs/prefs.html.tmpl b/template/en/default/account/prefs/prefs.html.tmpl index 9cb66f7bd7..a753bffc5f 100644 --- a/template/en/default/account/prefs/prefs.html.tmpl +++ b/template/en/default/account/prefs/prefs.html.tmpl @@ -83,6 +83,7 @@ [% IF current_tab.saveable %]
+ [% END %] [% PROCESS "account/prefs/${current_tab.name}.html.tmpl" diff --git a/userprefs.cgi b/userprefs.cgi index 3dc68121ef..7e21dcb2cb 100755 --- a/userprefs.cgi +++ b/userprefs.cgi @@ -443,6 +443,9 @@ trick_taint($current_tab_name); $vars->{'current_tab_name'} = $current_tab_name; +my $token = $cgi->param('token'); +check_token_data($token, 'edit_user_prefs') if $cgi->param('dosave'); + # Do any saving, and then display the current tab. SWITCH: for ($current_tab_name) { /^account$/ && do { @@ -473,6 +476,11 @@ SWITCH: for ($current_tab_name) { { current_tab_name => $current_tab_name }); } +delete_token($token) if $cgi->param('dosave'); +if ($current_tab_name ne 'permissions') { + $vars->{'token'} = issue_session_token('edit_user_prefs'); +} + # Generate and return the UI (HTML page) from the appropriate template. print $cgi->header(); $template->process("account/prefs/prefs.html.tmpl", $vars) -- 2.47.2