aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2011-01-24 18:17:45 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2011-01-24 18:17:45 +0100
commit6f8f6aba3517ae72e4eb298cd3fac13db80f1814 (patch)
tree9f421dce4eab00b5731c39df1bf80ce651359fce /chart.cgi
parentBug 627930 - Release Notes for Bugzilla 3.4.10 (diff)
downloadbugzilla-6f8f6aba3517ae72e4eb298cd3fac13db80f1814.tar.gz
bugzilla-6f8f6aba3517ae72e4eb298cd3fac13db80f1814.tar.bz2
bugzilla-6f8f6aba3517ae72e4eb298cd3fac13db80f1814.zip
Bug 621108: [SECURITY] Creating/editing charts lacks CSRF protection
r=dkl a=LpSolit
Diffstat (limited to 'chart.cgi')
-rwxr-xr-xchart.cgi11
1 files changed, 9 insertions, 2 deletions
diff --git a/chart.cgi b/chart.cgi
index ab145c42a..61745ab77 100755
--- a/chart.cgi
+++ b/chart.cgi
@@ -52,6 +52,7 @@ use Bugzilla::Util;
use Bugzilla::Chart;
use Bugzilla::Series;
use Bugzilla::User;
+use Bugzilla::Token;
# For most scripts we don't make $cgi and $template global variables. But
# when preparing Bugzilla for mod_perl, this script used these
@@ -138,7 +139,9 @@ elsif ($action eq "wrap") {
}
elsif ($action eq "create") {
assertCanCreate($cgi);
-
+ my $token = $cgi->param('token');
+ check_hash_token($token, ['create-series']);
+
my $series = new Bugzilla::Series($cgi);
if (!$series->existsInDatabase()) {
@@ -168,7 +171,11 @@ elsif ($action eq "alter") {
detaint_natural($series_id) || ThrowCodeError("invalid_series_id");
assertCanEdit($series_id);
- my $series = new Bugzilla::Series($cgi);
+ # We cannot use the $series object below, as its name may have changed.
+ my $series = new Bugzilla::Series($series_id);
+ my $token = $cgi->param('token');
+ check_hash_token($token, [$series->{series_id}, $series->{name}]);
+ $series = new Bugzilla::Series($cgi);
# We need to check if there is _another_ series in the database with
# our (potentially new) name. So we call existsInDatabase() to see if