diff options
| author | lpsolit%gmail.com <> | 2009-12-30 15:54:28 +0100 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2009-12-30 15:54:28 +0100 |
| commit | 8ae3947f54cf1ee266b2f6145bd6320ecaeb9948 (patch) | |
| tree | 75cacdfcb81e988788edcba3f0c9038c7d80151b /attachment.cgi | |
| parent | 202d74c2bd67b143430220515200b52c1fc0e51d (diff) | |
| download | bugzilla-8ae3947f54cf1ee266b2f6145bd6320ecaeb9948.tar.gz bugzilla-8ae3947f54cf1ee266b2f6145bd6320ecaeb9948.tar.xz | |
Bug 532518: Credentials are not checked correctly when viewing one attachment from another bug's alternate host - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
Diffstat (limited to 'attachment.cgi')
| -rwxr-xr-x | attachment.cgi | 49 |
1 files changed, 28 insertions, 21 deletions
diff --git a/attachment.cgi b/attachment.cgi index 20a96d09d..0181f8cad 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -249,8 +249,34 @@ sub view { # Make sure the attachment is served from the correct server. my $bug_id = $attachment->bug_id; - if (!$cgi->url_is_attachment_base($bug_id)) { - # We couldn't call Bugzilla->login earlier as we first had to + if ($cgi->url_is_attachment_base($bug_id)) { + # No need to validate the token for public attachments. We cannot request + # credentials as we are on the alternate host. + if (!attachmentIsPublic($attachment)) { + my $token = $cgi->param('t'); + my ($userid, undef, $token_attach_id) = Bugzilla::Token::GetTokenData($token); + unless ($userid + && detaint_natural($token_attach_id) + && ($token_attach_id == $attachment->id)) + { + # Not a valid token. + print $cgi->redirect('-location' => correct_urlbase() . $path); + exit; + } + # Change current user without creating cookies. + Bugzilla->set_user(new Bugzilla::User($userid)); + # Tokens are single use only, delete it. + delete_token($token); + } + } + elsif ($cgi->url_is_attachment_base) { + # If we come here, this means that each bug has its own host + # for attachments, and that we are trying to view one attachment + # using another bug's host. That's not desired. + $cgi->redirect_to_urlbase; + } + else { + # We couldn't call Bugzilla->login earlier as we first had to # make sure we were not going to request credentials on the # alternate host. Bugzilla->login(); @@ -270,25 +296,6 @@ sub view { print $cgi->redirect(-location => $attachbase . "$path&t=$token"); exit; } - } else { - # No need to validate the token for public attachments. We cannot request - # credentials as we are on the alternate host. - if (!attachmentIsPublic($attachment)) { - my $token = $cgi->param('t'); - my ($userid, undef, $token_attach_id) = Bugzilla::Token::GetTokenData($token); - unless ($userid - && detaint_natural($token_attach_id) - && ($token_attach_id == $attachment->id)) - { - # Not a valid token. - print $cgi->redirect('-location' => correct_urlbase() . $path); - exit; - } - # Change current user without creating cookies. - Bugzilla->set_user(new Bugzilla::User($userid)); - # Tokens are single use only, delete it. - delete_token($token); - } } } else { do_ssl_redirect_if_required(); |