From d9041c3f97422fb377c3e8d20129f4ef8517f833 Mon Sep 17 00:00:00 2001
From: "reed%reedloden.com" <>
Date: Mon, 30 Mar 2009 21:02:33 +0000
Subject: Bug 476603 - "[SECURITY] Editing attachments doesn't have any CSRF
 protection" [p=reed r=LpSolit a=LpSolit]

---
 attachment.cgi | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'attachment.cgi')

diff --git a/attachment.cgi b/attachment.cgi
index 16615abae..45d4d7fda 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -565,6 +565,9 @@ sub update {
         ($vars->{'operations'}) =
             Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts'));
 
+        # The token contains the old modification_time. We need a new one.
+        $cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time]));
+
         # If the modification date changed but there is no entry in
         # the activity table, this means someone commented only.
         # In this case, there is no reason to midair.
@@ -579,6 +582,12 @@ sub update {
             exit;
         }
     }
+
+    # We couldn't do this check earlier as we first had to validate attachment ID
+    # and display the mid-air collision page if modification_time changed.
+    my $token = $cgi->param('token');
+    check_hash_token($token, [$attachment->id, $attachment->modification_time]);
+
     # If the submitter of the attachment is not in the insidergroup,
     # be sure that he cannot overwrite the private bit.
     # This check must be done before calling Bugzilla::Flag*::validate(),
-- 
cgit v1.2.3-24-g4f1b