From: <psy...@us...> - 2011-01-24 19:40:21
|
Update of /cvsroot/frenchmozilla/bugzilla/template/fr/default/list In directory sfp-cvsdas-3.v30.ch3.sourceforge.com:/tmp/cvs-serv1851/template/fr/default/list Modified Files: Tag: BZ_3_4_BRANCH quips.html.tmpl Log Message: Bug 621110: [SECURITY] Quips (adding/approving/deleting) lacks CSRF protection Index: quips.html.tmpl =================================================================== RCS file: /cvsroot/frenchmozilla/bugzilla/template/fr/default/list/quips.html.tmpl,v retrieving revision 1.7 retrieving revision 1.7.4.1 diff -u -d -r1.7 -r1.7.4.1 --- quips.html.tmpl 5 Nov 2008 19:14:48 -0000 1.7 +++ quips.html.tmpl 24 Jan 2011 19:40:13 -0000 1.7.4.1 @@ -73,6 +73,8 @@ <form method="post" action="quips.cgi"> <input type="hidden" name="action" value="add"> + <input type="hidden" name="token" + value="[% issue_hash_token(['create-quips']) FILTER html %]"> <input size="80" name="quip"> <p> <input type="submit" id="add" value="Ajouter cette citation"> @@ -103,6 +105,8 @@ </p> <form name="editform" method="post" action="quips.cgi"> <input type="hidden" name="action" value="approve"> + <input type="hidden" name="token" + value="[% issue_hash_token(['approve-quips']) FILTER html %]"> <table border="1"> <thead><tr> <th>Citation</th> @@ -119,7 +123,8 @@ [% "Unknown" IF NOT users.$userid %] </td> <td> - <a href="quips.cgi?action=delete&quipid=[% quipid FILTER url_quote %]"> + <a href="quips.cgi?action=delete&quipid=[% quipid FILTER url_quote %]&token= + [%- issue_hash_token(['quips', quipid]) FILTER url_quote %]"> Supprimer </a> </td> |