diff options
author | lpsolit%gmail.com <> | 2006-10-15 05:02:09 +0000 |
---|---|---|
committer | lpsolit%gmail.com <> | 2006-10-15 05:02:09 +0000 |
commit | 93815fc7619567cc962e053280c5ed0b19492feb (patch) | |
tree | ffc99d8156c41fbd0d5ab8801324adead2ef4436 /editsettings.cgi | |
parent | 6fcfcb93eda16108f71b4c96010bae95cde622cd (diff) | |
download | bugs-93815fc7619567cc962e053280c5ed0b19492feb.tar bugs-93815fc7619567cc962e053280c5ed0b19492feb.tar.gz bugs-93815fc7619567cc962e053280c5ed0b19492feb.tar.bz2 bugs-93815fc7619567cc962e053280c5ed0b19492feb.tar.xz bugs-93815fc7619567cc962e053280c5ed0b19492feb.zip |
Bug 281181: [SECURITY] It's way too easy to delete versions/components/milestones etc... - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=myk
Diffstat (limited to 'editsettings.cgi')
-rwxr-xr-x | editsettings.cgi | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/editsettings.cgi b/editsettings.cgi index 6d7fffdfa..a4a85710f 100755 --- a/editsettings.cgi +++ b/editsettings.cgi @@ -24,6 +24,7 @@ use Bugzilla::Constants; use Bugzilla::Util; use Bugzilla::Error; use Bugzilla::User::Setting; +use Bugzilla::Token; my $template = Bugzilla->template; local our $vars = {}; @@ -79,9 +80,12 @@ $user->in_group('tweakparams') object => "settings"}); my $action = trim($cgi->param('action') || 'load'); +my $token = $cgi->param('token'); if ($action eq 'update') { + check_token_data($token, 'edit_settings'); SaveSettings(); + delete_token($token); $vars->{'changes_saved'} = 1; $template->process("admin/settings/updated.html.tmpl", $vars) @@ -92,6 +96,7 @@ if ($action eq 'update') { if ($action eq 'load') { LoadSettings(); + $vars->{'token'} = issue_session_token('edit_settings'); $template->process("admin/settings/edit.html.tmpl", $vars) || ThrowTemplateError($template->error()); |