diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2013-10-16 19:03:21 +0200 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-10-16 19:03:21 +0200 |
commit | 362e68976c570eb0d9bacf07e4b1693012eb4d22 (patch) | |
tree | c666f7a20bb73daf6e447f2bfd75bdd002f691d3 | |
parent | 637fb098a0293fc3c2e83bb824a28e1843ae23fc (diff) | |
download | bugzilla-362e68976c570eb0d9bacf07e4b1693012eb4d22.tar.gz bugzilla-362e68976c570eb0d9bacf07e4b1693012eb4d22.tar.xz |
Bug 913904: (CVE-2013-1734) [SECURITY] CSRF when updating attachments
r=dkl a=sgreen
-rwxr-xr-x | attachment.cgi | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/attachment.cgi b/attachment.cgi index 7009a5e00..5a0d6f9fb 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -637,19 +637,22 @@ sub update { $attachment->set_filename(scalar $cgi->param('filename')); # Now make sure the attachment has not been edited since we loaded the page. - if (defined $cgi->param('delta_ts') - && $cgi->param('delta_ts') ne $attachment->modification_time) - { - ($vars->{'operations'}) = $bug->get_activity($attachment->id, $cgi->param('delta_ts')); + my $delta_ts = $cgi->param('delta_ts'); + my $modification_time = $attachment->modification_time; - # The token contains the old modification_time. We need a new one. - $cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time])); + if ($delta_ts && $delta_ts ne $modification_time) { + datetime_from($delta_ts) + or ThrowCodeError('invalid_timestamp', { timestamp => $delta_ts }); + ($vars->{'operations'}) = $bug->get_activity($attachment->id, $delta_ts); # If the modification date changed but there is no entry in # the activity table, this means someone commented only. # In this case, there is no reason to midair. if (scalar(@{$vars->{'operations'}})) { - $cgi->param('delta_ts', $attachment->modification_time); + $cgi->param('delta_ts', $modification_time); + # The token contains the old modification_time. We need a new one. + $cgi->param('token', issue_hash_token([$attachment->id, $modification_time])); + $vars->{'attachment'} = $attachment; print $cgi->header(); |