diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2011-11-22 22:06:00 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2011-11-22 22:06:00 +0100 |
commit | 80882f085e8918346ddb0ec3250f0d31ddaba5e6 (patch) | |
tree | 1dc6042750defd5f415f15144252730054073089 | |
parent | 4d99c123ee568e5a548968de8417ebc70a24efe4 (diff) | |
download | bugzilla-80882f085e8918346ddb0ec3250f0d31ddaba5e6.tar.gz bugzilla-80882f085e8918346ddb0ec3250f0d31ddaba5e6.tar.xz |
Bug 703975: CSRF vulnerability in post_bug.cgi allows possible unauthorized bug creation
r=mkanat a=LpSolit
-rwxr-xr-x | enter_bug.cgi | 2 | ||||
-rwxr-xr-x | post_bug.cgi | 35 | ||||
-rwxr-xr-x | process_bug.cgi | 3 | ||||
-rw-r--r-- | template/en/default/bug/create/confirm-create-dupe.html.tmpl | 57 |
4 files changed, 8 insertions, 89 deletions
diff --git a/enter_bug.cgi b/enter_bug.cgi index ffba2b09f..4778e4418 100755 --- a/enter_bug.cgi +++ b/enter_bug.cgi @@ -395,7 +395,7 @@ $vars->{'qa_contact_disabled'} = !$has_editbugs; $vars->{'cloned_bug_id'} = $cloned_bug_id; -$vars->{'token'} = issue_session_token('createbug:'); +$vars->{'token'} = issue_session_token('create_bug'); my @enter_bug_fields = grep { $_->enter_bug } Bugzilla->active_custom_fields; diff --git a/post_bug.cgi b/post_bug.cgi index 6ca46fb3c..c0878b0da 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -62,30 +62,7 @@ unless ($cgi->param()) { # Detect if the user already used the same form to submit a bug my $token = trim($cgi->param('token')); -if ($token) { - my ($creator_id, $date, $old_bug_id) = Bugzilla::Token::GetTokenData($token); - unless ($creator_id - && ($creator_id == $user->id) - && ($old_bug_id =~ "^createbug:")) - { - # The token is invalid. - ThrowUserError('token_does_not_exist'); - } - - $old_bug_id =~ s/^createbug://; - - if ($old_bug_id && (!$cgi->param('ignore_token') - || ($cgi->param('ignore_token') != $old_bug_id))) - { - $vars->{'bugid'} = $old_bug_id; - $vars->{'allow_override'} = defined $cgi->param('ignore_token') ? 0 : 1; - - print $cgi->header(); - $template->process("bug/create/confirm-create-dupe.html.tmpl", $vars) - || ThrowTemplateError($template->error()); - exit; - } -} +check_token_data($token, 'create_bug', 'index.cgi'); # do a match on the fields if applicable Bugzilla::User::match_field ({ @@ -169,8 +146,10 @@ foreach my $field (@multi_selects) { my $bug = Bugzilla::Bug->create(\%bug_params); -# Get the bug ID back. +# Get the bug ID back and delete the token used to create this bug. my $id = $bug->bug_id; +delete_token($token); + # We do this directly from the DB because $bug->creation_ts has the seconds # formatted out of it (which should be fixed some day). my $timestamp = $dbh->selectrow_array( @@ -243,12 +222,6 @@ Bugzilla::Hook::process('post_bug_after_creation', { vars => $vars }); ThrowCodeError("bug_error", { bug => $bug }) if $bug->error; -if ($token) { - trick_taint($token); - $dbh->do('UPDATE tokens SET eventdata = ? WHERE token = ?', undef, - ("createbug:$id", $token)); -} - my $recipients = { changer => $user }; my $bug_sent = Bugzilla::BugMail::Send($id, $recipients); $bug_sent->{type} = 'created'; diff --git a/process_bug.cgi b/process_bug.cgi index 382ee8b59..7c6e9590c 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -385,6 +385,9 @@ foreach my $bug (@bug_objects) { $bug->send_changes($changes, $vars); } +# Delete the session token used for the mass-change. +delete_token($token) unless $cgi->param('id'); + if (Bugzilla->usage_mode == USAGE_MODE_EMAIL) { # Do nothing. } diff --git a/template/en/default/bug/create/confirm-create-dupe.html.tmpl b/template/en/default/bug/create/confirm-create-dupe.html.tmpl deleted file mode 100644 index b0a5cddda..000000000 --- a/template/en/default/bug/create/confirm-create-dupe.html.tmpl +++ /dev/null @@ -1,57 +0,0 @@ -[%# The contents of this file are subject to the Mozilla Public - # License Version 1.1 (the "License"); you may not use this file - # except in compliance with the License. You may obtain a copy of - # the License at http://www.mozilla.org/MPL/ - # - # Software distributed under the License is distributed on an "AS - # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - # implied. See the License for the specific language governing - # rights and limitations under the License. - # - # The Original Code is the Bugzilla Bug Tracking System. - # - # The Initial Developer of the Original Code is Olav Vitters. - # - # Contributor(s): Olav Vitters <olav@bkor.dhs.org> - #%] - -[%# INTERFACE: - # bugid: integer. ID of the bug previously used to create a bug. - # allow_override: boolean int. Is 1 if the user may submit the bug again. - #%] - -[% PROCESS "global/field-descs.none.tmpl" %] - -[% PROCESS global/header.html.tmpl - title = "Already filed $terms.bug" -%] - -[% USE Bugzilla %] - -<table cellpadding="20"> - <tr> - <td bgcolor="#ff0000"> - <font size="+2"> - You already used the form to file [% "$terms.bug $bugid" FILTER bug_link(bugid) FILTER none %]. - </font> - </td> - </tr> -</table> - -<p><font size="big">You are highly encouraged to visit [% "$terms.bug $bugid" -FILTER bug_link(bugid) FILTER none %].</font></p> - -[% IF allow_override %] - <p>If you are sure you used the same form to submit a new [% terms.bug %], - click 'File [% terms.bug %] again'.<p> - - <form name="create" id="create" method="post" action="post_bug.cgi" - [%- IF Bugzilla.cgi.param("data") %] enctype="multipart/form-data"[% END %]> - [% PROCESS "global/hidden-fields.html.tmpl" - exclude="^(Bugzilla_login|Bugzilla_password|ignore_token)$" %] - <input type="hidden" name="ignore_token" value="[% bugid FILTER html %]"> - <input type="submit" value="File [% terms.bug %] again" id="file_bug_again"> - </form> -[% END %] - -[% PROCESS global/footer.html.tmpl %] |