From 2e19756821f33549ea0bb729b1826145ba0a4a67 Mon Sep 17 00:00:00 2001
From: Reed Loden <reed@reedloden.com>
Date: Mon, 21 Nov 2011 14:06:15 -0800
Subject: Bug 703983 - CSRF vulnerability in attachment.cgi allows possible
 unauthorized attachment creation [r=LpSolit a=LpSolit]

---
 attachment.cgi | 33 +++++----------------------------
 1 file changed, 5 insertions(+), 28 deletions(-)

(limited to 'attachment.cgi')

diff --git a/attachment.cgi b/attachment.cgi
index f0e818abe..35afc227e 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -512,7 +512,7 @@ sub enter {
     $vars->{'flag_types'} = $flag_types;
     $vars->{'any_flags_requesteeble'} =
         grep { $_->is_requestable && $_->is_requesteeble } @$flag_types;
-    $vars->{'token'} = issue_session_token('create_attachment:');
+    $vars->{'token'} = issue_session_token('create_attachment');
 
     print $cgi->header();
 
@@ -535,27 +535,7 @@ sub insert {
 
     # Detect if the user already used the same form to submit an attachment
     my $token = trim($cgi->param('token'));
-    if ($token) {
-        my ($creator_id, $date, $old_attach_id) = Bugzilla::Token::GetTokenData($token);
-        unless ($creator_id 
-            && ($creator_id == $user->id) 
-                && ($old_attach_id =~ "^create_attachment:")) 
-        {
-            # The token is invalid.
-            ThrowUserError('token_does_not_exist');
-        }
-    
-        $old_attach_id =~ s/^create_attachment://;
-   
-        if ($old_attach_id) {
-            $vars->{'bugid'} = $bugid;
-            $vars->{'attachid'} = $old_attach_id;
-            print $cgi->header();
-            $template->process("attachment/cancel-create-dupe.html.tmpl",  $vars)
-                || ThrowTemplateError($template->error());
-            exit;
-        }
-    }
+    check_token_data($token, 'create_attachment', 'index.cgi');
 
     # Check attachments the user tries to mark as obsolete.
     my @obsolete_attachments;
@@ -581,6 +561,9 @@ sub insert {
          mimetype      => $content_type,
          });
 
+    # Delete the token used to create this attachment.
+    delete_token($token);
+
     foreach my $obsolete_attachment (@obsolete_attachments) {
         $obsolete_attachment->set_is_obsolete(1);
         $obsolete_attachment->update($timestamp);
@@ -618,12 +601,6 @@ sub insert {
   }
   $bug->update($timestamp);
 
-  if ($token) {
-      trick_taint($token);
-      $dbh->do('UPDATE tokens SET eventdata = ? WHERE token = ?', undef,
-               ("create_attachment:" . $attachment->id, $token));
-  }
-
   $dbh->bz_commit_transaction;
 
   # Define the variables and functions that will be passed to the UI template.
-- 
cgit v1.2.3-24-g4f1b