Bug 621110: [SECURITY] Quips (adding/approving/deleting) lacks CSRF protection

r=dkl a=LpSolit

Bug 621110: [SECURITY] Quips (adding/approving/deleting) lacks CSRF protection
fee4dfba · Frédéric Buclin · 10b4a926 · fee4dfba · fee4dfba
Commit fee4dfba authored Jan 24, 2011 by Frédéric Buclin
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 2 deletions

quips.cgi quips.cgi +6 -1

quips.html.tmpl template/en/default/list/quips.html.tmpl +6 -1

No files found.
--- a/quips.cgi
+++ b/quips.cgi
@@ -32,6 +32,7 @@ use Bugzilla::Constants;
 use Bugzilla::Util;
 use Bugzilla::Error;
 use Bugzilla::User;
+use Bugzilla::Token;

 my $user = Bugzilla->login(LOGIN_REQUIRED);

@@ -41,6 +42,7 @@ my $template = Bugzilla->template;
 my $vars = {};

 my $action = $cgi->param('action') || "";
+my $token = $cgi->param('token');

 if ($action eq "show") {
    # Read in the entire quip list
@@ -74,6 +76,7 @@ if ($action eq "add") {
    (Bugzilla->params->{'quip_list_entry_control'} eq "closed") &&
      ThrowUserError("no_new_quips");

+    check_hash_token($token, ['create-quips']);
    # Add the quip 
    my $approved = (Bugzilla->params->{'quip_list_entry_control'} eq "open")
                   || Bugzilla->user->in_group('admin') || 0;
@@ -92,7 +95,8 @@ if ($action eq 'approve') {
      || ThrowUserError("auth_failure", {group  => "admin",
                                         action => "approve",
                                         object => "quips"});
- 
+
+    check_hash_token($token, ['approve-quips']);
    # Read in the entire quip list
    my $quipsref = $dbh->selectall_arrayref("SELECT quipid, approved FROM quips");
    
@@ -134,6 +138,7 @@ if ($action eq "delete") {
    my $quipid = $cgi->param("quipid");
    ThrowCodeError("need_quipid") unless $quipid =~ /(\d+)/; 
    $quipid = $1;
+    check_hash_token($token, ['quips', $quipid]);

    ($vars->{'deleted_quip'}) = $dbh->selectrow_array(
                                    "SELECT quip FROM quips WHERE quipid = ?",

--- a/template/en/default/list/quips.html.tmpl
+++ b/template/en/default/list/quips.html.tmpl
@@ -73,6 +73,8 @@

  <form method="post" action="quips.cgi">
    <input type="hidden" name="action" value="add">
+    <input type="hidden" name="token"
+           value="[% issue_hash_token(['create-quips']) FILTER html %]">
    <input size="80" name="quip">
    <p>
      <input type="submit" id="add" value="Add This Quip">
@@ -103,6 +105,8 @@
    </p>
    <form name="editform" method="post" action="quips.cgi">
      <input type="hidden" name="action" value="approve">
+      <input type="hidden" name="token"
+             value="[% issue_hash_token(['approve-quips']) FILTER html %]">
      <table border="1">
        <thead><tr>
          <th>Quip</th>
@@ -119,7 +123,8 @@
              [% "Unknown" IF NOT users.$userid %]
            </td>
            <td>
-              <a href="quips.cgi?action=delete&amp;quipid=[% quipid FILTER uri %]">
+              <a href="quips.cgi?action=delete&amp;quipid=[% quipid FILTER uri %]&amp;token=
+                 [%- issue_hash_token(['quips', quipid]) FILTER uri %]">
                Delete
              </a>
            </td>