From 8d70890dc0b7c24b25a344808ac4e63e6a5dd74e Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Mon, 2 Feb 2009 18:21:33 +0000 Subject: Bug 38862: [SECURITY] attachments should be at a different hostname - Patch by Byron Jones and Frédéric Buclin r=mkanat a=LpSolit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Bugzilla/CGI.pm | 24 ++++++++++++++++++++++++ Bugzilla/Config/Attachment.pm | 7 +++++++ Bugzilla/Util.pm | 14 +++++++++++++- 3 files changed, 44 insertions(+), 1 deletion(-) (limited to 'Bugzilla') diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 68d3ef69d..d7934f89b 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -71,6 +71,18 @@ sub new { # Send appropriate charset $self->charset(Bugzilla->params->{'utf8'} ? 'UTF-8' : ''); + # Redirect to urlbase/sslbase if we are not viewing an attachment. + if (use_attachbase() && i_am_cgi()) { + my $cgi_file = $self->url('-path_info' => 0, '-query' => 0, '-relative' => 1); + $cgi_file =~ s/\?$//; + my $urlbase = Bugzilla->params->{'urlbase'}; + my $sslbase = Bugzilla->params->{'sslbase'}; + my $path_regexp = $sslbase ? qr/^(\Q$urlbase\E|\Q$sslbase\E)/ : qr/^\Q$urlbase\E/; + if ($cgi_file ne 'attachment.cgi' && $self->self_url !~ /$path_regexp/) { + $self->redirect_to_urlbase; + } + } + # Check for errors # All of the Bugzilla code wants to do this, so do it here instead of # in each script @@ -351,6 +363,14 @@ sub require_https { exit; } +# Redirect to the urlbase version of the current URL. +sub redirect_to_urlbase { + my $self = shift; + my $path = $self->url('-path_info' => 1, '-query' => 1, '-relative' => 1); + print $self->redirect('-location' => correct_urlbase() . $path); + exit; +} + 1; __END__ @@ -421,6 +441,10 @@ If the client is using XMLRPC, it will not retain the QUERY_STRING since XMLRPC It takes an optional argument which will be used as the base URL. If $baseurl is not provided, the current URL is used. +=item C + +Redirects from the current URL to one prefixed by the urlbase parameter. + =back =head1 SEE ALSO diff --git a/Bugzilla/Config/Attachment.pm b/Bugzilla/Config/Attachment.pm index 72ad29a2d..17dbe4068 100644 --- a/Bugzilla/Config/Attachment.pm +++ b/Bugzilla/Config/Attachment.pm @@ -40,6 +40,13 @@ $Bugzilla::Config::Attachment::sortkey = "025"; sub get_param_list { my $class = shift; my @param_list = ( + { + name => 'attachment_base', + type => 't', + default => '', + checker => \&check_urlbase + }, + { name => 'allow_attachment_deletion', type => 'b', diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 01f824c5b..951c4df3c 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -36,7 +36,7 @@ use base qw(Exporter); html_quote url_quote xml_quote css_class_quote html_light_quote url_decode i_am_cgi get_netaddr correct_urlbase - lsearch ssl_require_redirect + lsearch ssl_require_redirect use_attachbase diff_arrays diff_strings trim wrap_hard wrap_comment find_wrap_point format_time format_time_decimal validate_date @@ -294,6 +294,13 @@ sub correct_urlbase { return Bugzilla->params->{'urlbase'}; } +sub use_attachbase { + my $attachbase = Bugzilla->params->{'attachment_base'}; + return ($attachbase ne '' + && $attachbase ne Bugzilla->params->{'urlbase'} + && $attachbase ne Bugzilla->params->{'sslbase'}) ? 1 : 0; +} + sub lsearch { my ($list,$item) = (@_); my $count = 0; @@ -803,6 +810,11 @@ cookies) to only some addresses. Returns either the C or C parameter, depending on the current setting for the C parameter. +=item C + +Returns true if an alternate host is used to display attachments; false +otherwise. + =back =head2 Searching -- cgit v1.2.3-24-g4f1b