diff options
| author |   Reed Loden <reed@reedloden.com> | 2011-12-13 14:26:45 -0800 |
|---|---|---|
| committer | Reed Loden <reed@reedloden.com> | 2011-12-13 14:26:45 -0800 |
| commit | cc86e1bc247787a6dd28f4604b93e08415ecd4fb (patch) | |
| tree | 7608f271062b3bb1d6696983e46031b8ad2a1d18 /createaccount.cgi | |
| parent | Bug 644281: When the sort order of a buglist is modified, the "Show next bug ... (diff) | |
| download | bugzilla-cc86e1bc247787a6dd28f4604b93e08415ecd4fb.tar.gz bugzilla-cc86e1bc247787a6dd28f4604b93e08415ecd4fb.tar.bz2 bugzilla-cc86e1bc247787a6dd28f4604b93e08415ecd4fb.zip | |
Bug 705474 - CSRF vulnerability in createaccount.cgi allows possible unauthorized account creation e-mail request
[r=mkanat a=mkanat]
Diffstat (limited to 'createaccount.cgi')
| -rwxr-xr-x | createaccount.cgi | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/createaccount.cgi b/createaccount.cgi index d0437a021..90530b3c5 100755 --- a/createaccount.cgi +++ b/createaccount.cgi @@ -62,6 +62,11 @@ unless ($createexp) { my $login = $cgi->param('login'); if (defined($login)) { + # Check the hash token to make sure this user actually submitted + # the create account form. + my $token = $cgi->param('token'); + check_hash_token($token, ['create_account']); + $login = Bugzilla::User->check_login_name_for_creation($login); $vars->{'login'} = $login; |