diff options
author | lpsolit%gmail.com <> | 2006-10-15 05:02:09 +0000 |
---|---|---|
committer | lpsolit%gmail.com <> | 2006-10-15 05:02:09 +0000 |
commit | 93815fc7619567cc962e053280c5ed0b19492feb (patch) | |
tree | ffc99d8156c41fbd0d5ab8801324adead2ef4436 /editparams.cgi | |
parent | Bug 346564: [SECURITY] timetracking deadline leaks in XML - Patch by Olav Vit... (diff) | |
download | bugzilla-93815fc7619567cc962e053280c5ed0b19492feb.tar.gz bugzilla-93815fc7619567cc962e053280c5ed0b19492feb.tar.bz2 bugzilla-93815fc7619567cc962e053280c5ed0b19492feb.zip |
Bug 281181: [SECURITY] It's way too easy to delete versions/components/milestones etc... - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=myk
Diffstat (limited to 'editparams.cgi')
-rwxr-xr-x | editparams.cgi | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/editparams.cgi b/editparams.cgi index 79063271a..cbce6405f 100755 --- a/editparams.cgi +++ b/editparams.cgi @@ -31,6 +31,7 @@ use Bugzilla::Config qw(:admin); use Bugzilla::Config::Common; use Bugzilla::Util; use Bugzilla::Error; +use Bugzilla::Token; my $user = Bugzilla->login(LOGIN_REQUIRED); my $cgi = Bugzilla->cgi; @@ -45,6 +46,7 @@ $user->in_group('tweakparams') object => "parameters"}); my $action = trim($cgi->param('action') || ''); +my $token = $cgi->param('token'); my $current_panel = $cgi->param('section') || 'core'; $current_panel =~ /^([A-Za-z0-9_-]+)$/; $current_panel = $1; @@ -66,6 +68,7 @@ foreach my $panel (Bugzilla::Config::param_panels()) { $vars->{panels} = \@panels; if ($action eq 'save' && $current_module) { + check_token_data($token, 'edit_parameters'); my @changes = (); my @module_param_list = "Bugzilla::Config::${current_module}"->get_param_list(1); @@ -125,7 +128,10 @@ if ($action eq 'save' && $current_module) { $vars->{'param_changed'} = \@changes; write_params(); + delete_token($token); } +$vars->{'token'} = issue_session_token('edit_parameters'); + $template->process("admin/params/editparams.html.tmpl", $vars) || ThrowTemplateError($template->error()); |