diff options
| author | Dylan Hardison <dylan@mozilla.com> | 2016-03-01 14:14:24 +0100 |
|---|---|---|
| committer | Dylan Hardison <dylan@mozilla.com> | 2016-03-01 14:14:24 +0100 |
| commit | 4d956493207d37a7d9a24d398d86a8cf1ce86c2d (patch) | |
| tree | 2bef56b70bbc4f6189a639431f442070a59f961a | |
| parent | 1d3186c171465b173a42f8ecd168662eccccc4d1 (diff) | |
| download | bugzilla-4d956493207d37a7d9a24d398d86a8cf1ce86c2d.tar.gz bugzilla-4d956493207d37a7d9a24d398d86a8cf1ce86c2d.tar.xz | |
Bug 1252219 - Attachment bounty form is vulnerable to CSRF and persistent XSS
| -rw-r--r-- | extensions/BMO/Extension.pm | 6 | ||||
| -rw-r--r-- | extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl | 19 |
2 files changed, 16 insertions, 9 deletions
diff --git a/extensions/BMO/Extension.pm b/extensions/BMO/Extension.pm index 3ca3165fe..35ce9b8d6 100644 --- a/extensions/BMO/Extension.pm +++ b/extensions/BMO/Extension.pm @@ -257,6 +257,9 @@ sub bounty_attachment { ThrowUserError('bounty_attachment_missing_reporter') unless $input->{reporter_email}; + check_hash_token($input->{token}, ['bounty', $bug->id]); + delete_token($input->{token}); + my @fields = qw( reporter_email amount_paid reported_date fixed_date awarded_date publish ); my %form = map { $_ => $input->{$_} } @fields; $form{credit} = [ grep { defined } map { $input->{"credit_$_"} } 1..3 ]; @@ -301,6 +304,7 @@ sub bounty_attachment { $vars->{form}{fixed_date} = format_time($bug->cf_last_resolved, "%Y-%m-%d"), } } + $vars->{form}{token} = issue_hash_token(['bounty', $bug->id]); } sub _attachment_is_bounty_attachment { @@ -309,6 +313,8 @@ sub _attachment_is_bounty_attachment { return 0 unless $attachment->filename eq 'bugbounty.data'; return 0 unless $attachment->contenttype eq 'text/plain'; return 0 unless $attachment->isprivate; + return 0 unless $attachment->attacher->in_group('bounty-team'); + return $attachment->description =~ /^(?:[^,]*,)+[^,]*$/; } diff --git a/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl b/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl index e458d0111..9b6901330 100644 --- a/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl +++ b/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl @@ -133,8 +133,9 @@ function validateAndSubmit() { <form id="bounty_form" method="post" action="page.cgi" enctype="multipart/form-data" onSubmit="return validateAndSubmit();"> - <input type="hidden" name="bug_id" value="[% bug.id FILTER none %]"> + <input type="hidden" name="bug_id" value="[% bug.id FILTER html %]"> <input type="hidden" name="id" value="attachment_bounty_form.html"> + <input type="hidden" name="token" value="[% form.token FILTER html %]"> <input type="hidden" name="submit" value="1"> <div class="head_desc"> @@ -144,17 +145,17 @@ function validateAndSubmit() { <div class="form_section"> <label for="reporter_email" class="field_label required">Reporter's Email</label> <input type="text" name="reporter_email" id="reporter_email" size="80" - value="[% form.reporter_email FILTER none %]"> + value="[% form.reporter_email FILTER html %]"> </div> <div class="form_section"> <label for="amount_paid" class="field_label">Amount Paid</label> - <input type="text" name="amount_paid" id="amount_paid" size="80" value="[% form.amount_paid FILTER none %]"> + <input type="text" name="amount_paid" id="amount_paid" size="80" value="[% form.amount_paid FILTER html %]"> </div> <div class="form_section"> <label for="reported_date" class="field_label">Reported Date</label> - <input name="reported_date" size="20" id="reported_date" value="[% form.reported_date FILTER none %]" + <input name="reported_date" size="20" id="reported_date" value="[% form.reported_date FILTER html %]" onchange="updateCalendarFromField(this)"> <button type="button" class="calendar_button" id="button_calendar_reported_date" @@ -169,7 +170,7 @@ function validateAndSubmit() { <div class="form_section"> <label for="fixed_date" class="field_label">Fixed Date</label> - <input name="fixed_date" size="20" id="fixed_date" value="[% form.fixed_date FILTER none %]" + <input name="fixed_date" size="20" id="fixed_date" value="[% form.fixed_date FILTER html %]" onchange="updateCalendarFromField(this)"> <button type="button" class="calendar_button" id="button_calendar_fixed_date" @@ -184,7 +185,7 @@ function validateAndSubmit() { <div class="form_section"> <label for="awarded_date" class="field_label">Awarded Date</label> - <input name="awarded_date" size="20" id="awarded_date" value="[% form.awarded_date FILTER none %]" + <input name="awarded_date" size="20" id="awarded_date" value="[% form.awarded_date FILTER html %]" onchange="updateCalendarFromField(this)"> <button type="button" class="calendar_button" id="button_calendar_awarded_date" @@ -207,17 +208,17 @@ function validateAndSubmit() { <div class="form_section"> <label for="credit_1" class="field_label">Credit</label> - <input type="text" name="credit_1" id="credit_1" size="80" value="[% form.credit.0 FILTER none %]"> + <input type="text" name="credit_1" id="credit_1" size="80" value="[% form.credit.0 FILTER html %]"> </div> <div class="form_section"> <label for="credit_2" class="field_label">Credit</label> - <input type="text" name="credit_2" id="credit_2" size="80" value="[% form.credit.1 FILTER none %]"> + <input type="text" name="credit_2" id="credit_2" size="80" value="[% form.credit.1 FILTER html %]"> </div> <div class="form_section"> <label for="credit_3" class="field_label">Credit</label> - <input type="text" name="credit_3" id="credit_3" size="80" value="[% form.credit.2 FILTER none %]"> + <input type="text" name="credit_3" id="credit_3" size="80" value="[% form.credit.2 FILTER html %]"> </div> <input type="submit" id="commit" value="Submit"> |