aboutsummaryrefslogtreecommitdiffstats
path: root/process_bug.cgi
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2009-02-02 18:33:29 +0000
committerlpsolit%gmail.com <>2009-02-02 18:33:29 +0000
commitdc51769c9f7fb84ac2e43112f2d106a4770f5781 (patch)
tree2e33c5042d7608871c661a843c3c991da07693d7 /process_bug.cgi
parent8d70890dc0b7c24b25a344808ac4e63e6a5dd74e (diff)
downloadbugs-dc51769c9f7fb84ac2e43112f2d106a4770f5781.tar
bugs-dc51769c9f7fb84ac2e43112f2d106a4770f5781.tar.gz
bugs-dc51769c9f7fb84ac2e43112f2d106a4770f5781.tar.bz2
bugs-dc51769c9f7fb84ac2e43112f2d106a4770f5781.tar.xz
bugs-dc51769c9f7fb84ac2e43112f2d106a4770f5781.zip
Bug 26257: [SECURITY] Bugzilla should prevent malicious webpages from making bugzilla users submit changes to bugs - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
Diffstat (limited to 'process_bug.cgi')
-rwxr-xr-xprocess_bug.cgi23
1 files changed, 19 insertions, 4 deletions
diff --git a/process_bug.cgi b/process_bug.cgi
index a0aadc1c5..83041230b 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -59,6 +59,7 @@ use Bugzilla::Component;
use Bugzilla::Keyword;
use Bugzilla::Flag;
use Bugzilla::Status;
+use Bugzilla::Token;
use Storable qw(dclone);
@@ -158,10 +159,6 @@ if (defined $cgi->param('dontchange')) {
# reference to flags if $cgi->param('id') is undefined.
Bugzilla::Flag::validate($cgi->param('id'));
-######################################################################
-# End Data/Security Validation
-######################################################################
-
print $cgi->header() unless Bugzilla->usage_mode == USAGE_MODE_EMAIL;
# Check for a mid-air collision. Currently this only works when updating
@@ -184,6 +181,8 @@ if (defined $cgi->param('delta_ts')
$vars->{'comments'} = Bugzilla::Bug::GetComments($first_bug->id,
"oldest_to_newest");
$vars->{'bug'} = $first_bug;
+ # The token contains the old delta_ts. We need a new one.
+ $cgi->param('token', issue_hash_token([$first_bug->id, $first_bug->delta_ts]));
# Warn the user about the mid-air collision and ask them what to do.
$template->process("bug/process/midair.html.tmpl", $vars)
@@ -191,6 +190,22 @@ if (defined $cgi->param('delta_ts')
exit;
}
+# We couldn't do this check earlier as we first had to validate bug IDs
+# and display the mid-air collision page if delta_ts changed.
+# If we do a mass-change, we use session tokens.
+my $token = $cgi->param('token');
+
+if ($cgi->param('id')) {
+ check_hash_token($token, [$first_bug->id, $first_bug->delta_ts]);
+}
+else {
+ check_token_data($token, 'buglist_mass_change', 'query.cgi');
+}
+
+######################################################################
+# End Data/Security Validation
+######################################################################
+
$vars->{'title_tag'} = "bug_processed";
# Set up the vars for navigational <link> elements