Bug 621090: [SECURITY] Adding saved searches lacks CSRF protection

r=mkanat a=justdave


git-svn-id: svn://10.0.0.236/branches/BUGZILLA-4_0-BRANCH@261803 18797224-902f-48f8-a5cc-f745e15eee43

mozilla/webtools/bugzilla/.bzrrev

@@ -1 +1 @@
-7523
+7524

mozilla/webtools/bugzilla/buglist.cgi

@@ -504,6 +504,8 @@ elsif (($cmdtype eq "doit") && defined $cgi->param('remtype')) {
         my $query_name = $cgi->param('newqueryname');
         my $new_query = $cgi->param('newquery');
         my $query_type = QUERY_LIST;
+        my $token = $cgi->param('token');
+        check_hash_token($token, ['savedsearch']);
         # If list_of_bugs is true, we are adding/removing individual bugs
         # to a saved search. We get the existing list of bug IDs (if any)
         # and add/remove the passed ones.

mozilla/webtools/bugzilla/template/en/default/global/per-bug-queries.html.tmpl

@@ -63,6 +63,7 @@
         <input type="hidden" name="cmdtype" value="doit">
         <input type="hidden" name="remtype" value="asnamed">
         <input type="hidden" name="list_of_bugs" value="1">
+        <input type="hidden" name="token" value="[% issue_hash_token(['savedsearch']) FILTER html %]">
         <select id="lob_action" name="action" onchange="update_text();">
           <option value="add">Add</option>
           [% IF lists_of_bugs.size %]

mozilla/webtools/bugzilla/template/en/default/list/list.html.tmpl

@@ -253,6 +253,7 @@
                  value="[% urlquerypart FILTER html %][% "&order=$qorder" FILTER html IF order %]">
           <input type="hidden" name="cmdtype" value="doit">
           <input type="hidden" name="remtype" value="asnamed">
+          <input type="hidden" name="token" value="[% issue_hash_token(['savedsearch']) FILTER html %]">
           <input type="text" id="save_newqueryname" name="newqueryname" size="20"
                  value="[% defaultsavename FILTER html %]"> 
         </form>