diff options
author | Dylan Hardison <dylan@mozilla.com> | 2016-03-01 14:14:24 +0100 |
---|---|---|
committer | Dylan Hardison <dylan@mozilla.com> | 2016-03-01 14:14:24 +0100 |
commit | 4d956493207d37a7d9a24d398d86a8cf1ce86c2d (patch) | |
tree | 2bef56b70bbc4f6189a639431f442070a59f961a /extensions/BMO/Extension.pm | |
parent | 1d3186c171465b173a42f8ecd168662eccccc4d1 (diff) | |
download | bugzilla-4d956493207d37a7d9a24d398d86a8cf1ce86c2d.tar.gz bugzilla-4d956493207d37a7d9a24d398d86a8cf1ce86c2d.tar.xz |
Bug 1252219 - Attachment bounty form is vulnerable to CSRF and persistent XSS
Diffstat (limited to 'extensions/BMO/Extension.pm')
-rw-r--r-- | extensions/BMO/Extension.pm | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/extensions/BMO/Extension.pm b/extensions/BMO/Extension.pm index 3ca3165fe..35ce9b8d6 100644 --- a/extensions/BMO/Extension.pm +++ b/extensions/BMO/Extension.pm @@ -257,6 +257,9 @@ sub bounty_attachment { ThrowUserError('bounty_attachment_missing_reporter') unless $input->{reporter_email}; + check_hash_token($input->{token}, ['bounty', $bug->id]); + delete_token($input->{token}); + my @fields = qw( reporter_email amount_paid reported_date fixed_date awarded_date publish ); my %form = map { $_ => $input->{$_} } @fields; $form{credit} = [ grep { defined } map { $input->{"credit_$_"} } 1..3 ]; @@ -301,6 +304,7 @@ sub bounty_attachment { $vars->{form}{fixed_date} = format_time($bug->cf_last_resolved, "%Y-%m-%d"), } } + $vars->{form}{token} = issue_hash_token(['bounty', $bug->id]); } sub _attachment_is_bounty_attachment { @@ -309,6 +313,8 @@ sub _attachment_is_bounty_attachment { return 0 unless $attachment->filename eq 'bugbounty.data'; return 0 unless $attachment->contenttype eq 'text/plain'; return 0 unless $attachment->isprivate; + return 0 unless $attachment->attacher->in_group('bounty-team'); + return $attachment->description =~ /^(?:[^,]*,)+[^,]*$/; } |