diff options
author | lpsolit%gmail.com <> | 2009-02-02 18:33:29 +0000 |
---|---|---|
committer | lpsolit%gmail.com <> | 2009-02-02 18:33:29 +0000 |
commit | dc51769c9f7fb84ac2e43112f2d106a4770f5781 (patch) | |
tree | 2e33c5042d7608871c661a843c3c991da07693d7 /process_bug.cgi | |
parent | 8d70890dc0b7c24b25a344808ac4e63e6a5dd74e (diff) | |
download | bugs-dc51769c9f7fb84ac2e43112f2d106a4770f5781.tar bugs-dc51769c9f7fb84ac2e43112f2d106a4770f5781.tar.gz bugs-dc51769c9f7fb84ac2e43112f2d106a4770f5781.tar.bz2 bugs-dc51769c9f7fb84ac2e43112f2d106a4770f5781.tar.xz bugs-dc51769c9f7fb84ac2e43112f2d106a4770f5781.zip |
Bug 26257: [SECURITY] Bugzilla should prevent malicious webpages from making bugzilla users submit changes to bugs - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
Diffstat (limited to 'process_bug.cgi')
-rwxr-xr-x | process_bug.cgi | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/process_bug.cgi b/process_bug.cgi index a0aadc1c5..83041230b 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -59,6 +59,7 @@ use Bugzilla::Component; use Bugzilla::Keyword; use Bugzilla::Flag; use Bugzilla::Status; +use Bugzilla::Token; use Storable qw(dclone); @@ -158,10 +159,6 @@ if (defined $cgi->param('dontchange')) { # reference to flags if $cgi->param('id') is undefined. Bugzilla::Flag::validate($cgi->param('id')); -###################################################################### -# End Data/Security Validation -###################################################################### - print $cgi->header() unless Bugzilla->usage_mode == USAGE_MODE_EMAIL; # Check for a mid-air collision. Currently this only works when updating @@ -184,6 +181,8 @@ if (defined $cgi->param('delta_ts') $vars->{'comments'} = Bugzilla::Bug::GetComments($first_bug->id, "oldest_to_newest"); $vars->{'bug'} = $first_bug; + # The token contains the old delta_ts. We need a new one. + $cgi->param('token', issue_hash_token([$first_bug->id, $first_bug->delta_ts])); # Warn the user about the mid-air collision and ask them what to do. $template->process("bug/process/midair.html.tmpl", $vars) @@ -191,6 +190,22 @@ if (defined $cgi->param('delta_ts') exit; } +# We couldn't do this check earlier as we first had to validate bug IDs +# and display the mid-air collision page if delta_ts changed. +# If we do a mass-change, we use session tokens. +my $token = $cgi->param('token'); + +if ($cgi->param('id')) { + check_hash_token($token, [$first_bug->id, $first_bug->delta_ts]); +} +else { + check_token_data($token, 'buglist_mass_change', 'query.cgi'); +} + +###################################################################### +# End Data/Security Validation +###################################################################### + $vars->{'title_tag'} = "bug_processed"; # Set up the vars for navigational <link> elements |