diff options
author | reed%reedloden.com <> | 2009-03-30 23:02:33 +0200 |
---|---|---|
committer | reed%reedloden.com <> | 2009-03-30 23:02:33 +0200 |
commit | d9041c3f97422fb377c3e8d20129f4ef8517f833 (patch) | |
tree | 005886bc062295c4050a17c8c7b45331f9fd01fe /attachment.cgi | |
parent | e0955c1603559bd8e0b63ccf0331fbde09412dcb (diff) | |
download | bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.gz bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.xz |
Bug 476603 - "[SECURITY] Editing attachments doesn't have any CSRF protection" [p=reed r=LpSolit a=LpSolit]
Diffstat (limited to 'attachment.cgi')
-rwxr-xr-x | attachment.cgi | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/attachment.cgi b/attachment.cgi index 16615abae..45d4d7fda 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -565,6 +565,9 @@ sub update { ($vars->{'operations'}) = Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts')); + # The token contains the old modification_time. We need a new one. + $cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time])); + # If the modification date changed but there is no entry in # the activity table, this means someone commented only. # In this case, there is no reason to midair. @@ -579,6 +582,12 @@ sub update { exit; } } + + # We couldn't do this check earlier as we first had to validate attachment ID + # and display the mid-air collision page if modification_time changed. + my $token = $cgi->param('token'); + check_hash_token($token, [$attachment->id, $attachment->modification_time]); + # If the submitter of the attachment is not in the insidergroup, # be sure that he cannot overwrite the private bit. # This check must be done before calling Bugzilla::Flag*::validate(), |