summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Lawrence <dkl@mozilla.com>2016-03-01 14:13:53 +0100
committerDylan Hardison <dylan@mozilla.com>2016-03-01 14:21:23 +0100
commite5b9aa6ef469adb5db2ff4b7575342bd79fd450a (patch)
treedde9651c912b6d3f55ff99904f79d9673f624e81
parent4d956493207d37a7d9a24d398d86a8cf1ce86c2d (diff)
downloadbugzilla-e5b9aa6ef469adb5db2ff4b7575342bd79fd450a.tar.gz
bugzilla-e5b9aa6ef469adb5db2ff4b7575342bd79fd450a.tar.xz
Bug 1252216 - Push extension configuration is vulnerable to CSRF and potentially code execution
-rw-r--r--extensions/Push/lib/Admin.pm4
-rw-r--r--extensions/Push/lib/Connector/File.pm2
-rw-r--r--extensions/Push/template/en/default/pages/push_config.html.tmpl1
3 files changed, 7 insertions, 0 deletions
diff --git a/extensions/Push/lib/Admin.pm b/extensions/Push/lib/Admin.pm
index f579409bd..e11415ea6 100644
--- a/extensions/Push/lib/Admin.pm
+++ b/extensions/Push/lib/Admin.pm
@@ -13,6 +13,7 @@ use warnings;
use Bugzilla;
use Bugzilla::Error;
use Bugzilla::Extension::Push::Util;
+use Bugzilla::Token qw(check_hash_token delete_token);
use Bugzilla::Util qw(trim detaint_natural trick_taint);
use base qw(Exporter);
@@ -28,6 +29,9 @@ sub admin_config {
my $input = Bugzilla->input_params;
if ($input->{save}) {
+ my $token = $input->{token};
+ check_hash_token($token, ['push_config']);
+ delete_token($token);
my $dbh = Bugzilla->dbh;
$dbh->bz_start_transaction();
_update_config_from_form('global', $push->config);
diff --git a/extensions/Push/lib/Connector/File.pm b/extensions/Push/lib/Connector/File.pm
index 2a8f4193d..563a78567 100644
--- a/extensions/Push/lib/Connector/File.pm
+++ b/extensions/Push/lib/Connector/File.pm
@@ -34,6 +34,8 @@ sub options {
my $filename = shift;
$filename =~ m#^/#
&& die "Absolute paths are not permitted\n";
+ $filename =~ m#\.\.#
+ && die "Relative paths are not permitted\n";
},
},
);
diff --git a/extensions/Push/template/en/default/pages/push_config.html.tmpl b/extensions/Push/template/en/default/pages/push_config.html.tmpl
index 6e6507a39..3783ecad6 100644
--- a/extensions/Push/template/en/default/pages/push_config.html.tmpl
+++ b/extensions/Push/template/en/default/pages/push_config.html.tmpl
@@ -31,6 +31,7 @@ var push_defaults = new Array();
<form method="POST" action="page.cgi">
<input type="hidden" name="id" value="push_config.html">
<input type="hidden" name="save" value="1">
+<input type="hidden" id="token" name="token" value="[% issue_hash_token(['push_config']) FILTER html %]">
<table border="0" cellspacing="0" cellpadding="5" width="100%">