diff options
Diffstat (limited to 'attachment.cgi')
| -rwxr-xr-x | attachment.cgi | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/attachment.cgi b/attachment.cgi index 937087a51..2520c0032 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -327,6 +327,7 @@ sub enter { 'component_id' => $bug->component_id}); $vars->{'flag_types'} = $flag_types; $vars->{'any_flags_requesteeble'} = grep($_->is_requesteeble, @$flag_types); + $vars->{'token'} = issue_session_token('createattachment:'); print $cgi->header(); @@ -348,6 +349,30 @@ sub insert { validateCanChangeBug($bugid); my ($timestamp) = Bugzilla->dbh->selectrow_array("SELECT NOW()"); + # Detect if the user already used the same form to submit an attachment + my $token = trim($cgi->param('token')); + if ($token) { + my ($creator_id, $date, $old_attach_id) = Bugzilla::Token::GetTokenData($token); + unless ($creator_id + && ($creator_id == $user->id) + && ($old_attach_id =~ "^createattachment:")) + { + # The token is invalid. + ThrowUserError('token_does_not_exist'); + } + + $old_attach_id =~ s/^createattachment://; + + if ($old_attach_id) { + $vars->{'bugid'} = $bugid; + $vars->{'attachid'} = $old_attach_id; + print $cgi->header(); + $template->process("attachment/cancel-create-dupe.html.tmpl", $vars) + || ThrowTemplateError($template->error()); + exit; + } + } + my $bug = new Bugzilla::Bug($bugid); my $attachment = Bugzilla::Attachment->insert_attachment_for_bug(THROW_ERROR, $bug, $user, @@ -379,6 +404,12 @@ sub insert { } $bug->update($timestamp); + if ($token) { + trick_taint($token); + $dbh->do('UPDATE tokens SET eventdata = ? WHERE token = ?', undef, + ("createattachment:" . $attachment->id, $token)); + } + $dbh->bz_commit_transaction; # Define the variables and functions that will be passed to the UI template. |