Bug 621105 - [SECURITY] Voting lacks CSRF protection

r=mkanat,a=LpSolit

Bug 621105 - [SECURITY] Voting lacks CSRF protection
ad1e3aef · David Lawrence · 9244270a · ad1e3aef · ad1e3aef · ad1e3aef
Commit ad1e3aef authored Jan 24, 2011 by David Lawrence
3 changed files
--- a/extensions/Voting/Extension.pm
+++ b/extensions/Voting/Extension.pm
@@ -36,6 +36,7 @@ use Bugzilla::Field;
 use Bugzilla::Mailer;
 use Bugzilla::User;
 use Bugzilla::Util qw(detaint_natural);
+use Bugzilla::Token;

 use List::Util qw(min);

@@ -529,6 +530,9 @@ sub _update_votes {
        || ThrowUserError("voting_must_be_nonnegative");
    }

+    my $token = $cgi->param('token');
+    check_hash_token($token, ['vote']);
+
    ############################################################################
    # End Data/Security Validation
    ############################################################################

--- a/extensions/Voting/template/en/default/pages/voting/user.html.tmpl
+++ b/extensions/Voting/template/en/default/pages/voting/user.html.tmpl
@@ -74,6 +74,7 @@
 [% IF products.size %]
  <form name="voting_form" method="post" action="page.cgi?id=voting/user.html">
    <input type="hidden" name="action" value="vote">
+    <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]">
    <table cellspacing="4">
      <tr>
        <td></td>

--- a/extensions/Voting/template/en/default/voting/delete-all.html.tmpl
+++ b/extensions/Voting/template/en/default/voting/delete-all.html.tmpl
@@ -35,6 +35,7 @@

 <form action="page.cgi?id=voting/user.html" method="post">
    <input type="hidden" name="action" value="vote">
+    <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]">
  <p>
    <input type="radio" name="delete_all_votes" value="1">
    Yes, delete all my votes