Bug 703983 - CSRF vulnerability in attachment.cgi allows possible unauthorized attachment creation

[r=LpSolit a=LpSolit]

2 files changed, 5 insertions, 76 deletions

diff --git a/attachment.cgi b/attachment.cgi
index f0e818abe..35afc227e 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -512,7 +512,7 @@ sub enter {
     $vars->{'flag_types'} = $flag_types;
     $vars->{'any_flags_requesteeble'} =
         grep { $_->is_requestable && $_->is_requesteeble } @$flag_types;
-    $vars->{'token'} = issue_session_token('create_attachment:');
+    $vars->{'token'} = issue_session_token('create_attachment');
 
     print $cgi->header();
 
@@ -535,27 +535,7 @@ sub insert {
 
     # Detect if the user already used the same form to submit an attachment
     my $token = trim($cgi->param('token'));
-    if ($token) {
-        my ($creator_id, $date, $old_attach_id) = Bugzilla::Token::GetTokenData($token);
-        unless ($creator_id 
-            && ($creator_id == $user->id) 
-                && ($old_attach_id =~ "^create_attachment:")) 
-        {
-            # The token is invalid.
-            ThrowUserError('token_does_not_exist');
-        }
-    
-        $old_attach_id =~ s/^create_attachment://;
-   
-        if ($old_attach_id) {
-            $vars->{'bugid'} = $bugid;
-            $vars->{'attachid'} = $old_attach_id;
-            print $cgi->header();
-            $template->process("attachment/cancel-create-dupe.html.tmpl",  $vars)
-                || ThrowTemplateError($template->error());
-            exit;
-        }
-    }
+    check_token_data($token, 'create_attachment', 'index.cgi');
 
     # Check attachments the user tries to mark as obsolete.
     my @obsolete_attachments;
@@ -581,6 +561,9 @@ sub insert {
          mimetype      => $content_type,
          });
 
+    # Delete the token used to create this attachment.
+    delete_token($token);
+
     foreach my $obsolete_attachment (@obsolete_attachments) {
         $obsolete_attachment->set_is_obsolete(1);
         $obsolete_attachment->update($timestamp);
@@ -618,12 +601,6 @@ sub insert {
   }
   $bug->update($timestamp);
 
-  if ($token) {
-      trick_taint($token);
-      $dbh->do('UPDATE tokens SET eventdata = ? WHERE token = ?', undef,
-               ("create_attachment:" . $attachment->id, $token));
-  }
-
   $dbh->bz_commit_transaction;
 
   # Define the variables and functions that will be passed to the UI template.
diff --git a/template/en/default/attachment/cancel-create-dupe.html.tmpl b/template/en/default/attachment/cancel-create-dupe.html.tmpl
deleted file mode 100644
index 643a24ad8..000000000
--- a/template/en/default/attachment/cancel-create-dupe.html.tmpl
+++ /dev/null
@@ -1,48 +0,0 @@
-[%# The contents of this file are subject to the Mozilla Public
-  # License Version 1.1 (the "License"); you may not use this file
-  # except in compliance with the License. You may obtain a copy of
-  # the License at http://www.mozilla.org/MPL/
-  #
-  # Software distributed under the License is distributed on an "AS
-  # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-  # implied. See the License for the specific language governing
-  # rights and limitations under the License.
-  #
-  # The Original Code is the Bugzilla Bug Tracking System.
-  #
-  # The Initial Developer of the Original Code is Olav Vitters.
-  #
-  # Contributor(s): Olav Vitters <olav@bkor.dhs.org>
-  #                 David Lawrence <dkl@redhat.com>
-  #%]
-
-[%# INTERFACE:
-  # bugid:    integer. ID of the bug report that this attachment relates to.
-  # attachid: integer. ID of the previous attachment recently created.
-  #%]
-
-[% PROCESS "global/field-descs.none.tmpl" %]
-
-[% PROCESS global/header.html.tmpl
-  title = "Already filed attachment"
-%]
-
-[% USE Bugzilla %]
-
-<table cellpadding="20">
-  <tr>
-    <td bgcolor="#ff0000">
-      <font size="+2">
-        You already used the form to file
-        <a href="[% urlbase FILTER html %]attachment.cgi?id=[% attachid FILTER uri %]&action=edit">attachment [% attachid FILTER uri %]</a>.
-      </font>
-    </td>
-  </tr>
-</table>
-
-<p>
-  You can either <a href="[% urlbase FILTER html %]attachment.cgi?bugid=[% bugid FILTER uri %]&action=enter">
-  create a new attachment</a> or [% "go back to $terms.bug $bugid" FILTER bug_link(bugid) FILTER none %].
-<p>
-
-[% PROCESS global/footer.html.tmpl %]