From 637fb098a0293fc3c2e83bb824a28e1843ae23fc Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Wed, 16 Oct 2013 18:57:17 +0200
Subject: Bug 911593: (CVE-2013-1733) [SECURITY] CSRF in process_bug.cgi r=dkl
 a=sgreen

---
 process_bug.cgi | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

(limited to 'process_bug.cgi')

diff --git a/process_bug.cgi b/process_bug.cgi
index 21113c2e9..2944e6cf5 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -111,25 +111,24 @@ print $cgi->header() unless Bugzilla->usage_mode == USAGE_MODE_EMAIL;
 
 # Check for a mid-air collision. Currently this only works when updating
 # an individual bug.
-if (defined $cgi->param('delta_ts'))
-{
-    my $delta_ts_z = datetime_from($cgi->param('delta_ts'));
+my $delta_ts = $cgi->param('delta_ts');
+
+if ($delta_ts) {
+    my $delta_ts_z = datetime_from($delta_ts)
+      or ThrowCodeError('invalid_timestamp', { timestamp => $delta_ts });
+
     my $first_delta_tz_z =  datetime_from($first_bug->delta_ts);
-    if ($first_delta_tz_z ne $delta_ts_z) {
-        ($vars->{'operations'}) = $first_bug->get_activity(undef, $cgi->param('delta_ts'));
 
-        ThrowCodeError('undefined_field', { field => 'longdesclength' })
-            if !defined $cgi->param('longdesclength');
+    if ($first_delta_tz_z ne $delta_ts_z) {
+        ($vars->{'operations'}) = $first_bug->get_activity(undef, $delta_ts);
 
-        my $start_at = $cgi->param('longdesclength');
+        my $start_at = $cgi->param('longdesclength')
+          or ThrowCodeError('undefined_field', { field => 'longdesclength' });
 
         # Always sort midair collision comments oldest to newest,
         # regardless of the user's personal preference.
         my $comments = $first_bug->comments({ order => "oldest_to_newest" });
 
-        # The token contains the old delta_ts. We need a new one.
-        $cgi->param('token', issue_hash_token([$first_bug->id, $first_bug->delta_ts]));
-
         # Show midair if previous changes made other than CC
         # and/or one or more comments were made
         my $do_midair = scalar @$comments > $start_at ? 1 : 0;
@@ -149,6 +148,8 @@ if (defined $cgi->param('delta_ts'))
             $vars->{'start_at'} = $start_at;
             $vars->{'comments'} = $comments;
             $vars->{'bug'} = $first_bug;
+            # The token contains the old delta_ts. We need a new one.
+            $cgi->param('token', issue_hash_token([$first_bug->id, $first_bug->delta_ts]));
 
             # Warn the user about the mid-air collision and ask them what to do.
             $template->process("bug/process/midair.html.tmpl", $vars)
-- 
cgit v1.2.3-24-g4f1b