summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDylan William Hardison <dylan@hardison.net>2015-07-21 17:19:15 +0200
committerDylan William Hardison <dylan@hardison.net>2015-07-21 17:26:14 +0200
commitde49ecc0ca26af7d391286d1a4b17af11920a1fd (patch)
treec5722989c36fe8b0b452c48d09088c6d8a6def5c
parentc53d646eec8907a4e9cb027c34bb93801f3c9fdc (diff)
downloadbugzilla-de49ecc0ca26af7d391286d1a4b17af11920a1fd.tar.gz
bugzilla-de49ecc0ca26af7d391286d1a4b17af11920a1fd.tar.xz
Bug 1175985 - Bugzilla Sensitive Information Disclosure Vulnerability
-rwxr-xr-xattachment.cgi18
-rw-r--r--extensions/GitHubAuth/Extension.pm9
-rw-r--r--extensions/Persona/Extension.pm9
3 files changed, 35 insertions, 1 deletions
diff --git a/attachment.cgi b/attachment.cgi
index 02dc7efcb..d27c89e9f 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -55,6 +55,8 @@ use Bugzilla::Keyword;
use Bugzilla::Hook;
use Encode qw(encode find_encoding);
+use URI;
+use URI::QueryParam;
# For most scripts we don't make $cgi and $template global variables. But
# when preparing Bugzilla for mod_perl, this script used these
@@ -377,12 +379,14 @@ sub view {
# At this point, Bugzilla->login has been called if it had to.
my $contenttype = $attachment->contenttype;
- my $filename = $attachment->filename;
+ my $filename = $attachment->filename;
+ my $contenttype_override = 0;
# Bug 111522: allow overriding content-type manually in the posted form
# params.
if (defined $cgi->param('content_type')) {
$contenttype = $attachment->_check_content_type($cgi->param('content_type'));
+ $contenttype_override = 1;
}
# Return the appropriate HTTP response headers.
@@ -403,6 +407,18 @@ sub view {
my $disposition = Bugzilla->params->{'allow_attachment_display'} ? 'inline' : 'attachment';
+ my $do_redirect = 0;
+ Bugzilla::Hook::process('attachment_should_redirect_login', { do_redirect => \$do_redirect });
+
+ if ($do_redirect) {
+ my $uri = URI->new(correct_urlbase() . 'attachment.cgi');
+ $uri->query_param(id => $attachment->id);
+ $uri->query_param(content_type => $contenttype) if $contenttype_override;
+
+ print $cgi->redirect('-location' => $uri);
+ exit 0;
+ }
+
# Don't send a charset header with attachments--they might not be UTF-8.
# However, we do allow people to explicitly specify a charset if they
# want.
diff --git a/extensions/GitHubAuth/Extension.pm b/extensions/GitHubAuth/Extension.pm
index dee927165..d68934be4 100644
--- a/extensions/GitHubAuth/Extension.pm
+++ b/extensions/GitHubAuth/Extension.pm
@@ -54,6 +54,15 @@ sub template_before_create {
};
}
+sub attachment_should_redirect_login {
+ my ($self, $args) = @_;
+ my $cgi = Bugzilla->cgi;
+
+ if ($cgi->param('github_state') || $cgi->param('github_email')) {
+ ${$args->{do_redirect}} = 1;
+ }
+}
+
sub auth_login_methods {
my ($self, $args) = @_;
my $modules = $args->{'modules'};
diff --git a/extensions/Persona/Extension.pm b/extensions/Persona/Extension.pm
index f288702e8..2c8e46add 100644
--- a/extensions/Persona/Extension.pm
+++ b/extensions/Persona/Extension.pm
@@ -64,6 +64,15 @@ sub config_modify_panels {
}
}
+sub attachment_should_redirect_login {
+ my ($self, $args) = @_;
+ my $cgi = Bugzilla->cgi;
+
+ if ($cgi->param("persona_assertion")) {
+ ${$args->{do_redirect}} = 1;
+ }
+}
+
sub config_add_panels {
my ($self, $args) = @_;
my $modules = $args->{panel_modules};