From 192acb445e1009a3c75dd93c2d0c27005d14cf4e Mon Sep 17 00:00:00 2001
From: "mkanat%bugzilla.org"
 <mkanat%bugzilla.org@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Mon, 24 Jan 2011 19:53:26 +0000
Subject: [PATCH] Bug 621105 - [SECURITY] Voting lacks CSRF protection
 r=mkanat,a=LpSolit

git-svn-id: svn://10.0.0.236/trunk@261814 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/webtools/bugzilla/.bzrrev                             | 2 +-
 mozilla/webtools/bugzilla/extensions/Voting/Extension.pm      | 4 ++++
 .../Voting/template/en/default/pages/voting/user.html.tmpl    | 1 +
 .../Voting/template/en/default/voting/delete-all.html.tmpl    | 1 +
 4 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/mozilla/webtools/bugzilla/.bzrrev b/mozilla/webtools/bugzilla/.bzrrev
index 10abd3c986c..2a5df8871fa 100644
--- a/mozilla/webtools/bugzilla/.bzrrev
+++ b/mozilla/webtools/bugzilla/.bzrrev
@@ -1 +1 @@
-7674
\ No newline at end of file
+7675
\ No newline at end of file
diff --git a/mozilla/webtools/bugzilla/extensions/Voting/Extension.pm b/mozilla/webtools/bugzilla/extensions/Voting/Extension.pm
index d94ff84300f..8417e0ec357 100644
--- a/mozilla/webtools/bugzilla/extensions/Voting/Extension.pm
+++ b/mozilla/webtools/bugzilla/extensions/Voting/Extension.pm
@@ -36,6 +36,7 @@ use Bugzilla::Field;
 use Bugzilla::Mailer;
 use Bugzilla::User;
 use Bugzilla::Util qw(detaint_natural);
+use Bugzilla::Token;
 
 use List::Util qw(min);
 
@@ -529,6 +530,9 @@ sub _update_votes {
         || ThrowUserError("voting_must_be_nonnegative");
     }
 
+    my $token = $cgi->param('token');
+    check_hash_token($token, ['vote']);
+
     ############################################################################
     # End Data/Security Validation
     ############################################################################
diff --git a/mozilla/webtools/bugzilla/extensions/Voting/template/en/default/pages/voting/user.html.tmpl b/mozilla/webtools/bugzilla/extensions/Voting/template/en/default/pages/voting/user.html.tmpl
index f2ac160f856..dbceaf2174d 100644
--- a/mozilla/webtools/bugzilla/extensions/Voting/template/en/default/pages/voting/user.html.tmpl
+++ b/mozilla/webtools/bugzilla/extensions/Voting/template/en/default/pages/voting/user.html.tmpl
@@ -74,6 +74,7 @@
 [% IF products.size %]
   <form name="voting_form" method="post" action="page.cgi?id=voting/user.html">
     <input type="hidden" name="action" value="vote">
+    <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]">
     <table cellspacing="4">
       <tr>
         <td></td>
diff --git a/mozilla/webtools/bugzilla/extensions/Voting/template/en/default/voting/delete-all.html.tmpl b/mozilla/webtools/bugzilla/extensions/Voting/template/en/default/voting/delete-all.html.tmpl
index 82ddc35961a..f0d3b7e1376 100644
--- a/mozilla/webtools/bugzilla/extensions/Voting/template/en/default/voting/delete-all.html.tmpl
+++ b/mozilla/webtools/bugzilla/extensions/Voting/template/en/default/voting/delete-all.html.tmpl
@@ -35,6 +35,7 @@
 
 <form action="page.cgi?id=voting/user.html" method="post">
     <input type="hidden" name="action" value="vote">
+    <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]">
   <p>
     <input type="radio" name="delete_all_votes" value="1">
     Yes, delete all my votes