summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2013-10-16 18:57:17 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2013-10-16 18:57:17 +0200
commit637fb098a0293fc3c2e83bb824a28e1843ae23fc (patch)
tree9d3a3582b2ae8728d3d99a63b392b9ec046adeca
parente78f6c00cd7cb6291641dfbea3d1c201c0944d5a (diff)
downloadbugzilla-637fb098a0293fc3c2e83bb824a28e1843ae23fc.tar.gz
bugzilla-637fb098a0293fc3c2e83bb824a28e1843ae23fc.tar.xz
Bug 911593: (CVE-2013-1733) [SECURITY] CSRF in process_bug.cgi
r=dkl a=sgreen
-rwxr-xr-xprocess_bug.cgi23
1 files changed, 12 insertions, 11 deletions
diff --git a/process_bug.cgi b/process_bug.cgi
index 21113c2e9..2944e6cf5 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -111,25 +111,24 @@ print $cgi->header() unless Bugzilla->usage_mode == USAGE_MODE_EMAIL;
# Check for a mid-air collision. Currently this only works when updating
# an individual bug.
-if (defined $cgi->param('delta_ts'))
-{
- my $delta_ts_z = datetime_from($cgi->param('delta_ts'));
+my $delta_ts = $cgi->param('delta_ts');
+
+if ($delta_ts) {
+ my $delta_ts_z = datetime_from($delta_ts)
+ or ThrowCodeError('invalid_timestamp', { timestamp => $delta_ts });
+
my $first_delta_tz_z = datetime_from($first_bug->delta_ts);
- if ($first_delta_tz_z ne $delta_ts_z) {
- ($vars->{'operations'}) = $first_bug->get_activity(undef, $cgi->param('delta_ts'));
- ThrowCodeError('undefined_field', { field => 'longdesclength' })
- if !defined $cgi->param('longdesclength');
+ if ($first_delta_tz_z ne $delta_ts_z) {
+ ($vars->{'operations'}) = $first_bug->get_activity(undef, $delta_ts);
- my $start_at = $cgi->param('longdesclength');
+ my $start_at = $cgi->param('longdesclength')
+ or ThrowCodeError('undefined_field', { field => 'longdesclength' });
# Always sort midair collision comments oldest to newest,
# regardless of the user's personal preference.
my $comments = $first_bug->comments({ order => "oldest_to_newest" });
- # The token contains the old delta_ts. We need a new one.
- $cgi->param('token', issue_hash_token([$first_bug->id, $first_bug->delta_ts]));
-
# Show midair if previous changes made other than CC
# and/or one or more comments were made
my $do_midair = scalar @$comments > $start_at ? 1 : 0;
@@ -149,6 +148,8 @@ if (defined $cgi->param('delta_ts'))
$vars->{'start_at'} = $start_at;
$vars->{'comments'} = $comments;
$vars->{'bug'} = $first_bug;
+ # The token contains the old delta_ts. We need a new one.
+ $cgi->param('token', issue_hash_token([$first_bug->id, $first_bug->delta_ts]));
# Warn the user about the mid-air collision and ask them what to do.
$template->process("bug/process/midair.html.tmpl", $vars)