Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized password reset e-mail request
r=reed a=LpSolit4.4
parent
08d5991d2b
commit
c6283d0ebf
|
@ -20,8 +20,8 @@
|
|||
[% IF cgi.request_method == "GET" AND cgi.query_string %]
|
||||
[% connector = "&" %]
|
||||
[% END %]
|
||||
[% script_name = login_target _ connector _ "GoAheadAndLogIn=1" %]
|
||||
<a id="login_link[% qs_suffix %]" href="[% script_name FILTER html %]"
|
||||
[% script_url = login_target _ connector _ "GoAheadAndLogIn=1" %]
|
||||
<a id="login_link[% qs_suffix %]" href="[% script_url FILTER html %]"
|
||||
onclick="return show_mini_login_form('[% qs_suffix %]')">Log In</a>
|
||||
|
||||
[% Hook.process('additional_methods') %]
|
||||
|
@ -98,7 +98,7 @@
|
|||
</li>
|
||||
<li id="forgot_container[% qs_suffix %]">
|
||||
<span class="separator">| </span>
|
||||
<a id="forgot_link[% qs_suffix %]" href="[% script_name FILTER html %]#forgot"
|
||||
<a id="forgot_link[% qs_suffix %]" href="[% script_url FILTER html %]#forgot"
|
||||
onclick="return show_forgot_form('[% qs_suffix %]')">Forgot Password</a>
|
||||
<form action="token.cgi" method="post" id="forgot_form[% qs_suffix %]"
|
||||
class="mini_forgot bz_default_hidden">
|
||||
|
@ -107,6 +107,7 @@
|
|||
<input id="forgot_button[% qs_suffix %]" value="Reset Password"
|
||||
type="submit">
|
||||
<input type="hidden" name="a" value="reqpw">
|
||||
<input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
|
||||
<a href="#" onclick="return hide_forgot_form('[% qs_suffix %]')">[x]</a>
|
||||
</form>
|
||||
</li>
|
||||
|
|
|
@ -108,6 +108,7 @@
|
|||
enter your login name below and submit a request
|
||||
to change your password.<br>
|
||||
<input size="35" name="loginname">
|
||||
<input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
|
||||
<input type="submit" id="request" value="Reset Password">
|
||||
</form>
|
||||
[% END %]
|
||||
|
|
|
@ -114,6 +114,11 @@ sub requestChangePassword {
|
|||
Bugzilla->user->authorizer->can_change_password
|
||||
|| ThrowUserError("password_change_requests_not_allowed");
|
||||
|
||||
# Check the hash token to make sure this user actually submitted
|
||||
# the forgotten password form.
|
||||
my $token = $cgi->param('token');
|
||||
check_hash_token($token, ['reqpw']);
|
||||
|
||||
my $login_name = $cgi->param('loginname')
|
||||
or ThrowUserError("login_needed_for_password_change");
|
||||
|
||||
|
|
Loading…
Reference in New Issue