summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2012-08-06 23:41:47 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2012-08-06 23:41:47 +0200
commitaefdf269ff52f02c16a350329f485c041479507e (patch)
tree7e85a557856831bc141467b831da5c4b5cbb3966 /token.cgi
parentBug 682317 - Bug.create is incorrectly documented as ignoring invalid fields;... (diff)
downloadbugzilla-aefdf269ff52f02c16a350329f485c041479507e.tar.gz
bugzilla-aefdf269ff52f02c16a350329f485c041479507e.tar.bz2
bugzilla-aefdf269ff52f02c16a350329f485c041479507e.zip
Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized password reset e-mail request
r=reed a=LpSolit
Diffstat (limited to 'token.cgi')
-rwxr-xr-xtoken.cgi5
1 files changed, 5 insertions, 0 deletions
diff --git a/token.cgi b/token.cgi
index d5ebad78d..62f1f5121 100755
--- a/token.cgi
+++ b/token.cgi
@@ -114,6 +114,11 @@ sub requestChangePassword {
Bugzilla->user->authorizer->can_change_password
|| ThrowUserError("password_change_requests_not_allowed");
+ # Check the hash token to make sure this user actually submitted
+ # the forgotten password form.
+ my $token = $cgi->param('token');
+ check_hash_token($token, ['reqpw']);
+
my $login_name = $cgi->param('loginname')
or ThrowUserError("login_needed_for_password_change");