Skip to content

bugzilla
bugzilla
Commit aefdf269 authored by Frédéric Buclin's avatar Frédéric Buclin
Browse files
Options

Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized…

Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized password reset e-mail request r=reed a=LpSolit
parent 27c63156
Show whitespace changes
Inline Side-by-side
Showing with 10 additions and 3 deletions
template/en/default/account/auth/login-small.html.tmpl
View file @ aefdf269
...@@ -20,8 +20,8 @@ ...@@ -20,8 +20,8 @@
[% IF cgi.request_method == "GET" AND cgi.query_string %] [% IF cgi.request_method == "GET" AND cgi.query_string %]
[% connector = "&" %] [% connector = "&" %]
[% END %] [% END %]
[% script_name = login_target _ connector _ "GoAheadAndLogIn=1" %] [% script_url = login_target _ connector _ "GoAheadAndLogIn=1" %]
<a id="login_link[% qs_suffix %]" href="[% script_name FILTER html %]" <a id="login_link[% qs_suffix %]" href="[% script_url FILTER html %]"
onclick="return show_mini_login_form('[% qs_suffix %]')">Log In</a> onclick="return show_mini_login_form('[% qs_suffix %]')">Log In</a>
[% Hook.process('additional_methods') %] [% Hook.process('additional_methods') %]
...@@ -98,7 +98,7 @@ ...@@ -98,7 +98,7 @@
</li> </li>
<li id="forgot_container[% qs_suffix %]"> <li id="forgot_container[% qs_suffix %]">
<span class="separator">| </span> <span class="separator">| </span>
<a id="forgot_link[% qs_suffix %]" href="[% script_name FILTER html %]#forgot" <a id="forgot_link[% qs_suffix %]" href="[% script_url FILTER html %]#forgot"
onclick="return show_forgot_form('[% qs_suffix %]')">Forgot Password</a> onclick="return show_forgot_form('[% qs_suffix %]')">Forgot Password</a>
<form action="token.cgi" method="post" id="forgot_form[% qs_suffix %]" <form action="token.cgi" method="post" id="forgot_form[% qs_suffix %]"
class="mini_forgot bz_default_hidden"> class="mini_forgot bz_default_hidden">
...@@ -107,6 +107,7 @@ ...@@ -107,6 +107,7 @@
<input id="forgot_button[% qs_suffix %]" value="Reset Password" <input id="forgot_button[% qs_suffix %]" value="Reset Password"
type="submit"> type="submit">
<input type="hidden" name="a" value="reqpw"> <input type="hidden" name="a" value="reqpw">
<input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
<a href="#" onclick="return hide_forgot_form('[% qs_suffix %]')">[x]</a> <a href="#" onclick="return hide_forgot_form('[% qs_suffix %]')">[x]</a>
</form> </form>
</li> </li>
template/en/default/account/auth/login.html.tmpl
View file @ aefdf269
...@@ -108,6 +108,7 @@ ...@@ -108,6 +108,7 @@
enter your login name below and submit a request enter your login name below and submit a request
to change your password.<br> to change your password.<br>
<input size="35" name="loginname"> <input size="35" name="loginname">
<input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
<input type="submit" id="request" value="Reset Password"> <input type="submit" id="request" value="Reset Password">
</form> </form>
[% END %] [% END %]
......
token.cgi
View file @ aefdf269
...@@ -114,6 +114,11 @@ sub requestChangePassword { ...@@ -114,6 +114,11 @@ sub requestChangePassword {
Bugzilla->user->authorizer->can_change_password Bugzilla->user->authorizer->can_change_password
|| ThrowUserError("password_change_requests_not_allowed"); || ThrowUserError("password_change_requests_not_allowed");
# Check the hash token to make sure this user actually submitted
# the forgotten password form.
my $token = $cgi->param('token');
check_hash_token($token, ['reqpw']);
my $login_name = $cgi->param('loginname') my $login_name = $cgi->param('loginname')
or ThrowUserError("login_needed_for_password_change"); or ThrowUserError("login_needed_for_password_change");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment