Bug 621109: Column changing lacks CSRF protection

colchange.cgi

@@ -33,6 +33,7 @@ use Bugzilla::CGI;
 use Bugzilla::Search::Saved;
 use Bugzilla::Error;
 use Bugzilla::User;
+use Bugzilla::Token;
 
 use Storable qw(dclone);
 
@@ -86,6 +87,19 @@ $vars->{'columns'} = $columns;
 
 my @collist;
 if (defined $cgi->param('rememberedquery')) {
+    my $search;
+    if (defined $cgi->param('saved_search')) {
+        $search = new Bugzilla::Search::Saved($cgi->param('saved_search'));
+    }
+
+    my $token = $cgi->param('token');
+    if ($search) {
+        check_hash_token($token, [$search->id, $search->name]);
+    }
+    else {
+        check_hash_token($token, ['default-list']);
+    }
+
     my $splitheader = 0;
     if (defined $cgi->param('resetit')) {
         @collist = DEFAULT_COLUMN_LIST;
@@ -123,11 +137,6 @@ if (defined $cgi->param('rememberedquery')) {
 
     $vars->{'message'} = "change_columns";
 
-    my $search;
-    if (defined $cgi->param('saved_search')) {
-        $search = new Bugzilla::Search::Saved($cgi->param('saved_search'));
-    }
-
     if ($cgi->param('save_columns_for_search')
         && defined $search && $search->user->id == Bugzilla->user->id) 
     {

template/en/default/list/change-columns.html.tmpl

@@ -121,11 +121,16 @@
     <p>
       <input type="hidden" name="saved_search"
              value="[% saved_search.id FILTER html%]" >
+      <input type="hidden" name="token"
+             value="[% issue_hash_token([saved_search.id, saved_search.name]) FILTER html %]">
       <input type="checkbox" id="save_columns_for_search" checked="checked" 
              name="save_columns_for_search" value="1">
       <label for="save_columns_for_search">Save this column list only 
         for search '[% saved_search.name FILTER html %]'</label>
     </p>
+  [% ELSE %]
+    <input type="hidden" name="token"
+           value="[% issue_hash_token(['default-list']) FILTER html %]">
   [% END %]
 
   <p>