summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDave Lawrence <dlawrence@mozilla.com>2011-11-28 17:38:31 +0100
committerDave Lawrence <dlawrence@mozilla.com>2011-11-28 17:38:31 +0100
commitfaac5e70ce92133773a2043619f9f23870beb14b (patch)
tree6f7a03e9e4c14cfa2ee701622f79af9a449ad97e
parent4e01a91159acec1075c5d156e2e9c956167696c0 (diff)
downloadbugzilla-faac5e70ce92133773a2043619f9f23870beb14b.tar.gz
bugzilla-faac5e70ce92133773a2043619f9f23870beb14b.tar.xz
Bug 704308 - CSRF vulnerability in post_bug.cgi allows possible unauthorized bug creation
-rwxr-xr-xenter_bug.cgi2
-rwxr-xr-xpost_bug.cgi35
-rwxr-xr-xprocess_bug.cgi3
-rw-r--r--template/en/default/bug/create/confirm-create-dupe.html.tmpl57
4 files changed, 8 insertions, 89 deletions
diff --git a/enter_bug.cgi b/enter_bug.cgi
index 85e69e535..7a471ab95 100755
--- a/enter_bug.cgi
+++ b/enter_bug.cgi
@@ -225,7 +225,7 @@ $vars->{'qa_contact_disabled'} = !$has_editbugs;
$vars->{'cloned_bug_id'} = $cloned_bug_id;
-$vars->{'token'} = issue_session_token('createbug:');
+$vars->{'token'} = issue_session_token('create_bug');
my @enter_bug_fields = grep { $_->enter_bug } Bugzilla->active_custom_fields;
diff --git a/post_bug.cgi b/post_bug.cgi
index d4b679692..af8c2cd2e 100755
--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -68,30 +68,7 @@ if (Bugzilla->params->{disable_bug_updates}) {
# Detect if the user already used the same form to submit a bug
my $token = trim($cgi->param('token'));
-if ($token) {
- my ($creator_id, $date, $old_bug_id) = Bugzilla::Token::GetTokenData($token);
- unless ($creator_id
- && ($creator_id == $user->id)
- && ($old_bug_id =~ "^createbug:"))
- {
- # The token is invalid.
- ThrowUserError('token_does_not_exist');
- }
-
- $old_bug_id =~ s/^createbug://;
-
- if ($old_bug_id && (!$cgi->param('ignore_token')
- || ($cgi->param('ignore_token') != $old_bug_id)))
- {
- $vars->{'bugid'} = $old_bug_id;
- $vars->{'allow_override'} = defined $cgi->param('ignore_token') ? 0 : 1;
-
- print $cgi->header();
- $template->process("bug/create/confirm-create-dupe.html.tmpl", $vars)
- || ThrowTemplateError($template->error());
- exit;
- }
-}
+check_token_data($token, 'create_bug', 'index.cgi');
# do a match on the fields if applicable
Bugzilla::User::match_field ({
@@ -175,8 +152,10 @@ foreach my $field (@multi_selects) {
my $bug = Bugzilla::Bug->create(\%bug_params);
-# Get the bug ID back.
+# Get the bug ID back and delete the token used to create this bug.
my $id = $bug->bug_id;
+delete_token($token);
+
# We do this directly from the DB because $bug->creation_ts has the seconds
# formatted out of it (which should be fixed some day).
my $timestamp = $dbh->selectrow_array(
@@ -249,12 +228,6 @@ Bugzilla::Hook::process('post_bug_after_creation', { vars => $vars });
ThrowCodeError("bug_error", { bug => $bug }) if $bug->error;
-if ($token) {
- trick_taint($token);
- $dbh->do('UPDATE tokens SET eventdata = ? WHERE token = ?', undef,
- ("createbug:$id", $token));
-}
-
my $recipients = { changer => $user };
my $bug_sent = Bugzilla::BugMail::Send($id, $recipients);
$bug_sent->{type} = 'created';
diff --git a/process_bug.cgi b/process_bug.cgi
index d44b9dda3..3d8b6bda2 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -391,6 +391,9 @@ foreach my $bug (@bug_objects) {
$bug->send_changes($changes, $vars);
}
+# Delete the session token used for the mass-change.
+delete_token($token) unless $cgi->param('id');
+
if (Bugzilla->usage_mode == USAGE_MODE_EMAIL) {
# Do nothing.
}
diff --git a/template/en/default/bug/create/confirm-create-dupe.html.tmpl b/template/en/default/bug/create/confirm-create-dupe.html.tmpl
deleted file mode 100644
index b0a5cddda..000000000
--- a/template/en/default/bug/create/confirm-create-dupe.html.tmpl
+++ /dev/null
@@ -1,57 +0,0 @@
-[%# The contents of this file are subject to the Mozilla Public
- # License Version 1.1 (the "License"); you may not use this file
- # except in compliance with the License. You may obtain a copy of
- # the License at http://www.mozilla.org/MPL/
- #
- # Software distributed under the License is distributed on an "AS
- # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- # implied. See the License for the specific language governing
- # rights and limitations under the License.
- #
- # The Original Code is the Bugzilla Bug Tracking System.
- #
- # The Initial Developer of the Original Code is Olav Vitters.
- #
- # Contributor(s): Olav Vitters <olav@bkor.dhs.org>
- #%]
-
-[%# INTERFACE:
- # bugid: integer. ID of the bug previously used to create a bug.
- # allow_override: boolean int. Is 1 if the user may submit the bug again.
- #%]
-
-[% PROCESS "global/field-descs.none.tmpl" %]
-
-[% PROCESS global/header.html.tmpl
- title = "Already filed $terms.bug"
-%]
-
-[% USE Bugzilla %]
-
-<table cellpadding="20">
- <tr>
- <td bgcolor="#ff0000">
- <font size="+2">
- You already used the form to file [% "$terms.bug $bugid" FILTER bug_link(bugid) FILTER none %].
- </font>
- </td>
- </tr>
-</table>
-
-<p><font size="big">You are highly encouraged to visit [% "$terms.bug $bugid"
-FILTER bug_link(bugid) FILTER none %].</font></p>
-
-[% IF allow_override %]
- <p>If you are sure you used the same form to submit a new [% terms.bug %],
- click 'File [% terms.bug %] again'.<p>
-
- <form name="create" id="create" method="post" action="post_bug.cgi"
- [%- IF Bugzilla.cgi.param("data") %] enctype="multipart/form-data"[% END %]>
- [% PROCESS "global/hidden-fields.html.tmpl"
- exclude="^(Bugzilla_login|Bugzilla_password|ignore_token)$" %]
- <input type="hidden" name="ignore_token" value="[% bugid FILTER html %]">
- <input type="submit" value="File [% terms.bug %] again" id="file_bug_again">
- </form>
-[% END %]
-
-[% PROCESS global/footer.html.tmpl %]