summaryrefslogtreecommitdiffstats
path: root/attachment.cgi
diff options
context:
space:
mode:
authorreed%reedloden.com <>2009-03-30 23:02:33 +0200
committerreed%reedloden.com <>2009-03-30 23:02:33 +0200
commitd9041c3f97422fb377c3e8d20129f4ef8517f833 (patch)
tree005886bc062295c4050a17c8c7b45331f9fd01fe /attachment.cgi
parente0955c1603559bd8e0b63ccf0331fbde09412dcb (diff)
downloadbugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.gz
bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.xz
Bug 476603 - "[SECURITY] Editing attachments doesn't have any CSRF protection" [p=reed r=LpSolit a=LpSolit]
Diffstat (limited to 'attachment.cgi')
-rwxr-xr-xattachment.cgi9
1 files changed, 9 insertions, 0 deletions
diff --git a/attachment.cgi b/attachment.cgi
index 16615abae..45d4d7fda 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -565,6 +565,9 @@ sub update {
($vars->{'operations'}) =
Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts'));
+ # The token contains the old modification_time. We need a new one.
+ $cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time]));
+
# If the modification date changed but there is no entry in
# the activity table, this means someone commented only.
# In this case, there is no reason to midair.
@@ -579,6 +582,12 @@ sub update {
exit;
}
}
+
+ # We couldn't do this check earlier as we first had to validate attachment ID
+ # and display the mid-air collision page if modification_time changed.
+ my $token = $cgi->param('token');
+ check_hash_token($token, [$attachment->id, $attachment->modification_time]);
+
# If the submitter of the attachment is not in the insidergroup,
# be sure that he cannot overwrite the private bit.
# This check must be done before calling Bugzilla::Flag*::validate(),