From 92cb17e05cecb4093ee9e189347ba66b8844528a Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Tue, 22 Nov 2011 22:03:28 +0100 Subject: Bug 703975: CSRF vulnerability in post_bug.cgi allows possible unauthorized bug creation r=mkanat a=LpSolit --- post_bug.cgi | 35 ++++------------------------------- 1 file changed, 4 insertions(+), 31 deletions(-) (limited to 'post_bug.cgi') diff --git a/post_bug.cgi b/post_bug.cgi index 6ca46fb3c..c0878b0da 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -62,30 +62,7 @@ unless ($cgi->param()) { # Detect if the user already used the same form to submit a bug my $token = trim($cgi->param('token')); -if ($token) { - my ($creator_id, $date, $old_bug_id) = Bugzilla::Token::GetTokenData($token); - unless ($creator_id - && ($creator_id == $user->id) - && ($old_bug_id =~ "^createbug:")) - { - # The token is invalid. - ThrowUserError('token_does_not_exist'); - } - - $old_bug_id =~ s/^createbug://; - - if ($old_bug_id && (!$cgi->param('ignore_token') - || ($cgi->param('ignore_token') != $old_bug_id))) - { - $vars->{'bugid'} = $old_bug_id; - $vars->{'allow_override'} = defined $cgi->param('ignore_token') ? 0 : 1; - - print $cgi->header(); - $template->process("bug/create/confirm-create-dupe.html.tmpl", $vars) - || ThrowTemplateError($template->error()); - exit; - } -} +check_token_data($token, 'create_bug', 'index.cgi'); # do a match on the fields if applicable Bugzilla::User::match_field ({ @@ -169,8 +146,10 @@ foreach my $field (@multi_selects) { my $bug = Bugzilla::Bug->create(\%bug_params); -# Get the bug ID back. +# Get the bug ID back and delete the token used to create this bug. my $id = $bug->bug_id; +delete_token($token); + # We do this directly from the DB because $bug->creation_ts has the seconds # formatted out of it (which should be fixed some day). my $timestamp = $dbh->selectrow_array( @@ -243,12 +222,6 @@ Bugzilla::Hook::process('post_bug_after_creation', { vars => $vars }); ThrowCodeError("bug_error", { bug => $bug }) if $bug->error; -if ($token) { - trick_taint($token); - $dbh->do('UPDATE tokens SET eventdata = ? WHERE token = ?', undef, - ("createbug:$id", $token)); -} - my $recipients = { changer => $user }; my $bug_sent = Bugzilla::BugMail::Send($id, $recipients); $bug_sent->{type} = 'created'; -- cgit v1.2.3-24-g4f1b