From 4d956493207d37a7d9a24d398d86a8cf1ce86c2d Mon Sep 17 00:00:00 2001 From: Dylan Hardison Date: Tue, 1 Mar 2016 08:14:24 -0500 Subject: Bug 1252219 - Attachment bounty form is vulnerable to CSRF and persistent XSS --- extensions/BMO/Extension.pm | 6 ++++++ .../en/default/pages/attachment_bounty_form.html.tmpl | 19 ++++++++++--------- 2 files changed, 16 insertions(+), 9 deletions(-) (limited to 'extensions') diff --git a/extensions/BMO/Extension.pm b/extensions/BMO/Extension.pm index 3ca3165fe..35ce9b8d6 100644 --- a/extensions/BMO/Extension.pm +++ b/extensions/BMO/Extension.pm @@ -257,6 +257,9 @@ sub bounty_attachment { ThrowUserError('bounty_attachment_missing_reporter') unless $input->{reporter_email}; + check_hash_token($input->{token}, ['bounty', $bug->id]); + delete_token($input->{token}); + my @fields = qw( reporter_email amount_paid reported_date fixed_date awarded_date publish ); my %form = map { $_ => $input->{$_} } @fields; $form{credit} = [ grep { defined } map { $input->{"credit_$_"} } 1..3 ]; @@ -301,6 +304,7 @@ sub bounty_attachment { $vars->{form}{fixed_date} = format_time($bug->cf_last_resolved, "%Y-%m-%d"), } } + $vars->{form}{token} = issue_hash_token(['bounty', $bug->id]); } sub _attachment_is_bounty_attachment { @@ -309,6 +313,8 @@ sub _attachment_is_bounty_attachment { return 0 unless $attachment->filename eq 'bugbounty.data'; return 0 unless $attachment->contenttype eq 'text/plain'; return 0 unless $attachment->isprivate; + return 0 unless $attachment->attacher->in_group('bounty-team'); + return $attachment->description =~ /^(?:[^,]*,)+[^,]*$/; } diff --git a/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl b/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl index e458d0111..9b6901330 100644 --- a/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl +++ b/extensions/BMO/template/en/default/pages/attachment_bounty_form.html.tmpl @@ -133,8 +133,9 @@ function validateAndSubmit() {
- + +
@@ -144,17 +145,17 @@ function validateAndSubmit() {
+ value="[% form.reporter_email FILTER html %]">
- +
-
- +
- +
-- cgit v1.2.3-24-g4f1b