Add token to the end of voting URLs

Posted by gregnostic on August 21, 2008 at 12:09am

Issue Summary

This module doesn't check to see whether the user intended to load the URL when a vote is cast, leaving the module open to a CSRF attack, the scope of which is limited to unwittingly casting votes. Adding a token to the end of the URL should suffice.

Comments

#1

Posted by greggles on August 21, 2008 at 1:18pm

#2

Posted by joshk on August 22, 2008 at 10:43pm

Status:

active

» closed (fixed)

handled by dmitrig

Project:	UpDown
Component:	Code
Category:	bug report
Priority:	critical
Assigned:	gregnostic
Status:	closed (fixed)

Add token to the end of voting URLs

Jump to:

Issue Summary

Comments

#1

#2