diff options
| author | reed%reedloden.com <> | 2009-03-30 23:02:33 +0200 |
|---|---|---|
| committer | reed%reedloden.com <> | 2009-03-30 23:02:33 +0200 |
| commit | d9041c3f97422fb377c3e8d20129f4ef8517f833 (patch) | |
| tree | 005886bc062295c4050a17c8c7b45331f9fd01fe | |
| parent | e0955c1603559bd8e0b63ccf0331fbde09412dcb (diff) | |
| download | bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.gz bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.xz | |
Bug 476603 - "[SECURITY] Editing attachments doesn't have any CSRF protection" [p=reed r=LpSolit a=LpSolit]
| -rwxr-xr-x | attachment.cgi | 9 | ||||
| -rw-r--r-- | template/en/default/attachment/edit.html.tmpl | 3 | ||||
| -rw-r--r-- | template/en/default/bug/show.xml.tmpl | 10 |
3 files changed, 19 insertions, 3 deletions
diff --git a/attachment.cgi b/attachment.cgi index 16615abae..45d4d7fda 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -565,6 +565,9 @@ sub update { ($vars->{'operations'}) = Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts')); + # The token contains the old modification_time. We need a new one. + $cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time])); + # If the modification date changed but there is no entry in # the activity table, this means someone commented only. # In this case, there is no reason to midair. @@ -579,6 +582,12 @@ sub update { exit; } } + + # We couldn't do this check earlier as we first had to validate attachment ID + # and display the mid-air collision page if modification_time changed. + my $token = $cgi->param('token'); + check_hash_token($token, [$attachment->id, $attachment->modification_time]); + # If the submitter of the attachment is not in the insidergroup, # be sure that he cannot overwrite the private bit. # This check must be done before calling Bugzilla::Flag*::validate(), diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl index f461e9e91..95c90871f 100644 --- a/template/en/default/attachment/edit.html.tmpl +++ b/template/en/default/attachment/edit.html.tmpl @@ -171,6 +171,9 @@ <input type="hidden" name="action" value="update"> <input type="hidden" name="contenttypemethod" value="manual"> <input type="hidden" name="delta_ts" value="[% attachment.modification_time FILTER html %]"> + [% IF user.id %] + <input type="hidden" name="token" value="[% issue_hash_token([attachment.id, attachment.modification_time]) FILTER html %]"> + [% END %] <table class="attachment_info" width="100%"> diff --git a/template/en/default/bug/show.xml.tmpl b/template/en/default/bug/show.xml.tmpl index 8fc6ddb3f..cd7f44eff 100644 --- a/template/en/default/bug/show.xml.tmpl +++ b/template/en/default/bug/show.xml.tmpl @@ -103,9 +103,13 @@ <type>[% a.contenttype FILTER xml %]</type> <size>[% a.datasize FILTER xml %]</size> <attacher>[% a.attacher.email FILTER email FILTER xml %]</attacher> - [% IF displayfields.attachmentdata %] - <data encoding="base64">[% a.data FILTER base64 %]</data> - [% END %] + [%# This is here so automated clients can still use attachment.cgi %] + [% IF displayfields.token && user.id %] + <token>[% issue_hash_token([a.id, a.modification_time]) FILTER xml %]</token> + [% END %] + [% IF displayfields.attachmentdata %] + <data encoding="base64">[% a.data FILTER base64 %]</data> + [% END %] [% FOREACH flag = a.flags %] <flag name="[% flag.type.name FILTER xml %]" |