Bug 1175985 - Bugzilla Sensitive Information Disclosure Vulnerability

1 files changed, 17 insertions, 1 deletions

diff --git a/attachment.cgi b/attachment.cgi
index 02dc7efcb..d27c89e9f 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -55,6 +55,8 @@ use Bugzilla::Keyword;
 use Bugzilla::Hook;
 
 use Encode qw(encode find_encoding);
+use URI;
+use URI::QueryParam;
 
 # For most scripts we don't make $cgi and $template global variables. But
 # when preparing Bugzilla for mod_perl, this script used these
@@ -377,12 +379,14 @@ sub view {
 
     # At this point, Bugzilla->login has been called if it had to.
     my $contenttype = $attachment->contenttype;
-    my $filename = $attachment->filename;
+    my $filename    = $attachment->filename;
+    my $contenttype_override = 0;
 
     # Bug 111522: allow overriding content-type manually in the posted form
     # params.
     if (defined $cgi->param('content_type')) {
         $contenttype = $attachment->_check_content_type($cgi->param('content_type'));
+        $contenttype_override = 1;
     }
 
     # Return the appropriate HTTP response headers.
@@ -403,6 +407,18 @@ sub view {
 
     my $disposition = Bugzilla->params->{'allow_attachment_display'} ? 'inline' : 'attachment';
 
+    my $do_redirect = 0;
+    Bugzilla::Hook::process('attachment_should_redirect_login', { do_redirect => \$do_redirect });
+
+    if ($do_redirect) {
+        my $uri = URI->new(correct_urlbase() . 'attachment.cgi');
+        $uri->query_param(id => $attachment->id);
+        $uri->query_param(content_type => $contenttype) if $contenttype_override;
+
+        print $cgi->redirect('-location' => $uri);
+        exit 0;
+    }
+
     # Don't send a charset header with attachments--they might not be UTF-8.
     # However, we do allow people to explicitly specify a charset if they
     # want.