From e5b9aa6ef469adb5db2ff4b7575342bd79fd450a Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Tue, 1 Mar 2016 08:13:53 -0500 Subject: Bug 1252216 - Push extension configuration is vulnerable to CSRF and potentially code execution --- extensions/Push/lib/Admin.pm | 4 ++++ extensions/Push/lib/Connector/File.pm | 2 ++ extensions/Push/template/en/default/pages/push_config.html.tmpl | 1 + 3 files changed, 7 insertions(+) diff --git a/extensions/Push/lib/Admin.pm b/extensions/Push/lib/Admin.pm index f579409bd..e11415ea6 100644 --- a/extensions/Push/lib/Admin.pm +++ b/extensions/Push/lib/Admin.pm @@ -13,6 +13,7 @@ use warnings; use Bugzilla; use Bugzilla::Error; use Bugzilla::Extension::Push::Util; +use Bugzilla::Token qw(check_hash_token delete_token); use Bugzilla::Util qw(trim detaint_natural trick_taint); use base qw(Exporter); @@ -28,6 +29,9 @@ sub admin_config { my $input = Bugzilla->input_params; if ($input->{save}) { + my $token = $input->{token}; + check_hash_token($token, ['push_config']); + delete_token($token); my $dbh = Bugzilla->dbh; $dbh->bz_start_transaction(); _update_config_from_form('global', $push->config); diff --git a/extensions/Push/lib/Connector/File.pm b/extensions/Push/lib/Connector/File.pm index 2a8f4193d..563a78567 100644 --- a/extensions/Push/lib/Connector/File.pm +++ b/extensions/Push/lib/Connector/File.pm @@ -34,6 +34,8 @@ sub options { my $filename = shift; $filename =~ m#^/# && die "Absolute paths are not permitted\n"; + $filename =~ m#\.\.# + && die "Relative paths are not permitted\n"; }, }, ); diff --git a/extensions/Push/template/en/default/pages/push_config.html.tmpl b/extensions/Push/template/en/default/pages/push_config.html.tmpl index 6e6507a39..3783ecad6 100644 --- a/extensions/Push/template/en/default/pages/push_config.html.tmpl +++ b/extensions/Push/template/en/default/pages/push_config.html.tmpl @@ -31,6 +31,7 @@ var push_defaults = new Array();
+ -- cgit v1.2.3-24-g4f1b