diff options
author | Reed Loden <reed@reedloden.com> | 2011-11-21 23:08:54 +0100 |
---|---|---|
committer | Reed Loden <reed@reedloden.com> | 2011-11-21 23:08:54 +0100 |
commit | 4d99c123ee568e5a548968de8417ebc70a24efe4 (patch) | |
tree | 940fc8e5af4e751fecfae551cb735ccf719e9258 | |
parent | f08fde0c271e6393a10aa0011b49613d26a31d33 (diff) | |
download | bugzilla-4d99c123ee568e5a548968de8417ebc70a24efe4.tar.gz bugzilla-4d99c123ee568e5a548968de8417ebc70a24efe4.tar.xz |
Bug 703983 - CSRF vulnerability in attachment.cgi allows possible unauthorized attachment creation
[r=LpSolit a=LpSolit]
-rwxr-xr-x | attachment.cgi | 33 | ||||
-rw-r--r-- | template/en/default/attachment/cancel-create-dupe.html.tmpl | 48 |
2 files changed, 5 insertions, 76 deletions
diff --git a/attachment.cgi b/attachment.cgi index 5eba13611..04bad37b3 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -501,7 +501,7 @@ sub enter { $vars->{'flag_types'} = $flag_types; $vars->{'any_flags_requesteeble'} = grep { $_->is_requestable && $_->is_requesteeble } @$flag_types; - $vars->{'token'} = issue_session_token('create_attachment:'); + $vars->{'token'} = issue_session_token('create_attachment'); print $cgi->header(); @@ -524,27 +524,7 @@ sub insert { # Detect if the user already used the same form to submit an attachment my $token = trim($cgi->param('token')); - if ($token) { - my ($creator_id, $date, $old_attach_id) = Bugzilla::Token::GetTokenData($token); - unless ($creator_id - && ($creator_id == $user->id) - && ($old_attach_id =~ "^create_attachment:")) - { - # The token is invalid. - ThrowUserError('token_does_not_exist'); - } - - $old_attach_id =~ s/^create_attachment://; - - if ($old_attach_id) { - $vars->{'bugid'} = $bugid; - $vars->{'attachid'} = $old_attach_id; - print $cgi->header(); - $template->process("attachment/cancel-create-dupe.html.tmpl", $vars) - || ThrowTemplateError($template->error()); - exit; - } - } + check_token_data($token, 'create_attachment', 'index.cgi'); # Check attachments the user tries to mark as obsolete. my @obsolete_attachments; @@ -570,6 +550,9 @@ sub insert { mimetype => $content_type, }); + # Delete the token used to create this attachment. + delete_token($token); + foreach my $obsolete_attachment (@obsolete_attachments) { $obsolete_attachment->set_is_obsolete(1); $obsolete_attachment->update($timestamp); @@ -607,12 +590,6 @@ sub insert { } $bug->update($timestamp); - if ($token) { - trick_taint($token); - $dbh->do('UPDATE tokens SET eventdata = ? WHERE token = ?', undef, - ("create_attachment:" . $attachment->id, $token)); - } - $dbh->bz_commit_transaction; # Define the variables and functions that will be passed to the UI template. diff --git a/template/en/default/attachment/cancel-create-dupe.html.tmpl b/template/en/default/attachment/cancel-create-dupe.html.tmpl deleted file mode 100644 index 643a24ad8..000000000 --- a/template/en/default/attachment/cancel-create-dupe.html.tmpl +++ /dev/null @@ -1,48 +0,0 @@ -[%# The contents of this file are subject to the Mozilla Public - # License Version 1.1 (the "License"); you may not use this file - # except in compliance with the License. You may obtain a copy of - # the License at http://www.mozilla.org/MPL/ - # - # Software distributed under the License is distributed on an "AS - # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - # implied. See the License for the specific language governing - # rights and limitations under the License. - # - # The Original Code is the Bugzilla Bug Tracking System. - # - # The Initial Developer of the Original Code is Olav Vitters. - # - # Contributor(s): Olav Vitters <olav@bkor.dhs.org> - # David Lawrence <dkl@redhat.com> - #%] - -[%# INTERFACE: - # bugid: integer. ID of the bug report that this attachment relates to. - # attachid: integer. ID of the previous attachment recently created. - #%] - -[% PROCESS "global/field-descs.none.tmpl" %] - -[% PROCESS global/header.html.tmpl - title = "Already filed attachment" -%] - -[% USE Bugzilla %] - -<table cellpadding="20"> - <tr> - <td bgcolor="#ff0000"> - <font size="+2"> - You already used the form to file - <a href="[% urlbase FILTER html %]attachment.cgi?id=[% attachid FILTER uri %]&action=edit">attachment [% attachid FILTER uri %]</a>. - </font> - </td> - </tr> -</table> - -<p> - You can either <a href="[% urlbase FILTER html %]attachment.cgi?bugid=[% bugid FILTER uri %]&action=enter"> - create a new attachment</a> or [% "go back to $terms.bug $bugid" FILTER bug_link(bugid) FILTER none %]. -<p> - -[% PROCESS global/footer.html.tmpl %] |