Bug 621105 - [SECURITY] Voting lacks CSRF protection

r=mkanat,a=LpSolit


git-svn-id: svn://10.0.0.236/trunk@261814 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/webtools/bugzilla/.bzrrev

@@ -1 +1 @@
-7674
+7675

mozilla/webtools/bugzilla/extensions/Voting/Extension.pm

@@ -36,6 +36,7 @@ use Bugzilla::Field;
 use Bugzilla::Mailer;
 use Bugzilla::User;
 use Bugzilla::Util qw(detaint_natural);
+use Bugzilla::Token;
 
 use List::Util qw(min);
 
@@ -529,6 +530,9 @@ sub _update_votes {
         || ThrowUserError("voting_must_be_nonnegative");
     }
 
+    my $token = $cgi->param('token');
+    check_hash_token($token, ['vote']);
+
     ############################################################################
     # End Data/Security Validation
     ############################################################################

mozilla/webtools/bugzilla/extensions/Voting/template/en/default/pages/voting/user.html.tmpl

@@ -74,6 +74,7 @@
 [% IF products.size %]
   <form name="voting_form" method="post" action="page.cgi?id=voting/user.html">
     <input type="hidden" name="action" value="vote">
+    <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]">
     <table cellspacing="4">
       <tr>
         <td></td>

mozilla/webtools/bugzilla/extensions/Voting/template/en/default/voting/delete-all.html.tmpl

@@ -35,6 +35,7 @@
 
 <form action="page.cgi?id=voting/user.html" method="post">
     <input type="hidden" name="action" value="vote">
+    <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]">
   <p>
     <input type="radio" name="delete_all_votes" value="1">
     Yes, delete all my votes