summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorreed%reedloden.com <>2009-03-30 23:02:33 +0200
committerreed%reedloden.com <>2009-03-30 23:02:33 +0200
commitd9041c3f97422fb377c3e8d20129f4ef8517f833 (patch)
tree005886bc062295c4050a17c8c7b45331f9fd01fe
parente0955c1603559bd8e0b63ccf0331fbde09412dcb (diff)
downloadbugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.gz
bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.xz
Bug 476603 - "[SECURITY] Editing attachments doesn't have any CSRF protection" [p=reed r=LpSolit a=LpSolit]
-rwxr-xr-xattachment.cgi9
-rw-r--r--template/en/default/attachment/edit.html.tmpl3
-rw-r--r--template/en/default/bug/show.xml.tmpl10
3 files changed, 19 insertions, 3 deletions
diff --git a/attachment.cgi b/attachment.cgi
index 16615abae..45d4d7fda 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -565,6 +565,9 @@ sub update {
($vars->{'operations'}) =
Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts'));
+ # The token contains the old modification_time. We need a new one.
+ $cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time]));
+
# If the modification date changed but there is no entry in
# the activity table, this means someone commented only.
# In this case, there is no reason to midair.
@@ -579,6 +582,12 @@ sub update {
exit;
}
}
+
+ # We couldn't do this check earlier as we first had to validate attachment ID
+ # and display the mid-air collision page if modification_time changed.
+ my $token = $cgi->param('token');
+ check_hash_token($token, [$attachment->id, $attachment->modification_time]);
+
# If the submitter of the attachment is not in the insidergroup,
# be sure that he cannot overwrite the private bit.
# This check must be done before calling Bugzilla::Flag*::validate(),
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index f461e9e91..95c90871f 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -171,6 +171,9 @@
<input type="hidden" name="action" value="update">
<input type="hidden" name="contenttypemethod" value="manual">
<input type="hidden" name="delta_ts" value="[% attachment.modification_time FILTER html %]">
+ [% IF user.id %]
+ <input type="hidden" name="token" value="[% issue_hash_token([attachment.id, attachment.modification_time]) FILTER html %]">
+ [% END %]
<table class="attachment_info" width="100%">
diff --git a/template/en/default/bug/show.xml.tmpl b/template/en/default/bug/show.xml.tmpl
index 8fc6ddb3f..cd7f44eff 100644
--- a/template/en/default/bug/show.xml.tmpl
+++ b/template/en/default/bug/show.xml.tmpl
@@ -103,9 +103,13 @@
<type>[% a.contenttype FILTER xml %]</type>
<size>[% a.datasize FILTER xml %]</size>
<attacher>[% a.attacher.email FILTER email FILTER xml %]</attacher>
- [% IF displayfields.attachmentdata %]
- <data encoding="base64">[% a.data FILTER base64 %]</data>
- [% END %]
+ [%# This is here so automated clients can still use attachment.cgi %]
+ [% IF displayfields.token && user.id %]
+ <token>[% issue_hash_token([a.id, a.modification_time]) FILTER xml %]</token>
+ [% END %]
+ [% IF displayfields.attachmentdata %]
+ <data encoding="base64">[% a.data FILTER base64 %]</data>
+ [% END %]
[% FOREACH flag = a.flags %]
<flag name="[% flag.type.name FILTER xml %]"