Index: modules/comment/comment.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/comment/comment.module,v
retrieving revision 1.853
diff -u -p -r1.853 comment.module
--- modules/comment/comment.module	12 Mar 2010 15:56:29 -0000	1.853
+++ modules/comment/comment.module	12 Mar 2010 16:58:19 -0000
@@ -992,6 +992,7 @@ function comment_links($comment, $node) 
           'title' => t('approve'),
           'href' => "comment/$comment->cid/approve",
           'html' => TRUE,
+          'query' => array('token' => drupal_get_token("comment/$comment->cid/approve")),
         );
       }
     }
Index: modules/comment/comment.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/comment/comment.pages.inc,v
retrieving revision 1.36
diff -u -p -r1.36 comment.pages.inc
--- modules/comment/comment.pages.inc	22 Feb 2010 15:38:52 -0000	1.36
+++ modules/comment/comment.pages.inc	12 Mar 2010 16:58:19 -0000
@@ -107,6 +107,9 @@ function comment_reply($node, $pid = NUL
  *   A comment identifier.
  */
 function comment_approve($cid) {
+  if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], "comment/$cid/approve")) {
+    return MENU_ACCESS_DENIED;
+  }
   if ($comment = comment_load($cid)) {
     $comment->status = COMMENT_PUBLISHED;
     comment_save($comment);
Index: modules/comment/comment.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/comment/comment.test,v
retrieving revision 1.71
diff -u -p -r1.71 comment.test
--- modules/comment/comment.test	7 Mar 2010 23:14:20 -0000	1.71
+++ modules/comment/comment.test	12 Mar 2010 16:58:20 -0000
@@ -954,6 +954,10 @@ class CommentApprovalTest extends Commen
 
     // Approve comment.
     $this->drupalLogin($this->admin_user);
+    $this->drupalGet('comment/1/approve');
+    $this->assertResponse(403, t('Forged comment approval was denied.'));
+    $this->drupalGet('comment/1/approve', array('query' => array('token' => 'forged')));
+    $this->assertResponse(403, t('Forged comment approval was denied.'));
     $this->drupalGet('node/' . $this->node->nid);
     $this->clickLink(t('approve'));
     $this->drupalLogout();