Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized…

Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized password reset e-mail request r=reed a=LpSolit

Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized…
aefdf269 · Frédéric Buclin · 27c63156 · aefdf269 · aefdf269 · aefdf269
Commit aefdf269 authored Aug 06, 2012 by Frédéric Buclin
Showing with 10 additions and 3 deletions

login-small.html.tmpl template/en/default/account/auth/login-small.html.tmpl +4 -3

login.html.tmpl template/en/default/account/auth/login.html.tmpl +1 -0

token.cgi token.cgi +5 -0

No files found.
--- a/template/en/default/account/auth/login-small.html.tmpl
+++ b/template/en/default/account/auth/login-small.html.tmpl
@@ -20,8 +20,8 @@
  [% IF cgi.request_method == "GET" AND cgi.query_string %]
    [% connector = "&" %]
  [% END %]
-  [% script_name = login_target _ connector _ "GoAheadAndLogIn=1" %]
-  <a id="login_link[% qs_suffix %]" href="[% script_name FILTER html %]"
+  [% script_url = login_target _ connector _ "GoAheadAndLogIn=1" %]
+  <a id="login_link[% qs_suffix %]" href="[% script_url FILTER html %]"
     onclick="return show_mini_login_form('[% qs_suffix %]')">Log In</a>

  [% Hook.process('additional_methods') %]
@@ -98,7 +98,7 @@
 </li>
 <li id="forgot_container[% qs_suffix %]">
  <span class="separator">| </span>
-  <a id="forgot_link[% qs_suffix %]" href="[% script_name FILTER html %]#forgot"
+  <a id="forgot_link[% qs_suffix %]" href="[% script_url FILTER html %]#forgot"
     onclick="return show_forgot_form('[% qs_suffix %]')">Forgot Password</a>
  <form action="token.cgi" method="post" id="forgot_form[% qs_suffix %]"
        class="mini_forgot bz_default_hidden">
@@ -107,6 +107,7 @@
    <input id="forgot_button[% qs_suffix %]" value="Reset Password" 
           type="submit">
    <input type="hidden" name="a" value="reqpw">
+    <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
    <a href="#" onclick="return hide_forgot_form('[% qs_suffix %]')">[x]</a>
  </form>
 </li>
--- a/template/en/default/account/auth/login.html.tmpl
+++ b/template/en/default/account/auth/login.html.tmpl
@@ -108,6 +108,7 @@
      enter your login name below and submit a request
      to change your password.<br>
      <input size="35" name="loginname">
+      <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
      <input type="submit" id="request" value="Reset Password">
    </form>
  [% END %]

--- a/token.cgi
+++ b/token.cgi
@@ -114,6 +114,11 @@ sub requestChangePassword {
    Bugzilla->user->authorizer->can_change_password
      || ThrowUserError("password_change_requests_not_allowed");

+    # Check the hash token to make sure this user actually submitted
+    # the forgotten password form.
+    my $token = $cgi->param('token');
+    check_hash_token($token, ['reqpw']);
+
    my $login_name = $cgi->param('loginname')
      or ThrowUserError("login_needed_for_password_change");