summaryrefslogtreecommitdiffstats
path: root/attachment.cgi
diff options
context:
space:
mode:
Diffstat (limited to 'attachment.cgi')
-rwxr-xr-xattachment.cgi2
1 files changed, 2 insertions, 0 deletions
diff --git a/attachment.cgi b/attachment.cgi
index d27c89e9f..78023560d 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -315,6 +315,8 @@ sub get_attachment {
# Replace %bugid% by the ID of the bug the attachment
# belongs to, if present.
$attachbase =~ s/\%bugid\%/$bug_id/;
+ # To avoid leaking information we redirect using the attachment ID only
+ $path = 'attachment.cgi?' . join('&', map { 'id=' . $attachments{$_}->id } keys %attachments);
if (all_attachments_are_public(\%attachments)) {
# No need for a token; redirect to attachment base.
print $cgi->redirect(-location => $attachbase . $path);