aboutsummaryrefslogtreecommitdiffstats
path: root/editsettings.cgi
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2006-10-15 05:02:09 +0000
committerlpsolit%gmail.com <>2006-10-15 05:02:09 +0000
commit93815fc7619567cc962e053280c5ed0b19492feb (patch)
treeffc99d8156c41fbd0d5ab8801324adead2ef4436 /editsettings.cgi
parent6fcfcb93eda16108f71b4c96010bae95cde622cd (diff)
downloadbugs-93815fc7619567cc962e053280c5ed0b19492feb.tar
bugs-93815fc7619567cc962e053280c5ed0b19492feb.tar.gz
bugs-93815fc7619567cc962e053280c5ed0b19492feb.tar.bz2
bugs-93815fc7619567cc962e053280c5ed0b19492feb.tar.xz
bugs-93815fc7619567cc962e053280c5ed0b19492feb.zip
Bug 281181: [SECURITY] It's way too easy to delete versions/components/milestones etc... - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=myk
Diffstat (limited to 'editsettings.cgi')
-rwxr-xr-xeditsettings.cgi5
1 files changed, 5 insertions, 0 deletions
diff --git a/editsettings.cgi b/editsettings.cgi
index 6d7fffdfa..a4a85710f 100755
--- a/editsettings.cgi
+++ b/editsettings.cgi
@@ -24,6 +24,7 @@ use Bugzilla::Constants;
use Bugzilla::Util;
use Bugzilla::Error;
use Bugzilla::User::Setting;
+use Bugzilla::Token;
my $template = Bugzilla->template;
local our $vars = {};
@@ -79,9 +80,12 @@ $user->in_group('tweakparams')
object => "settings"});
my $action = trim($cgi->param('action') || 'load');
+my $token = $cgi->param('token');
if ($action eq 'update') {
+ check_token_data($token, 'edit_settings');
SaveSettings();
+ delete_token($token);
$vars->{'changes_saved'} = 1;
$template->process("admin/settings/updated.html.tmpl", $vars)
@@ -92,6 +96,7 @@ if ($action eq 'update') {
if ($action eq 'load') {
LoadSettings();
+ $vars->{'token'} = issue_session_token('edit_settings');
$template->process("admin/settings/edit.html.tmpl", $vars)
|| ThrowTemplateError($template->error());