diff options
| author |   Frédéric Buclin <LpSolit@gmail.com> | 2013-10-16 19:10:42 +0200 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-10-16 19:10:42 +0200 |
| commit | d096b205bd98c3e7dab9102891a07e725a983fa7 (patch) | |
| tree | 4ec41a9d2fbd14c9fdc4b9498301d13702eb159c | |
| parent | Bug 906745 - In MySQL, tokens are not case-sensitive, reducing total entropy ... (diff) | |
| download | bugzilla-d096b205bd98c3e7dab9102891a07e725a983fa7.tar.gz bugzilla-d096b205bd98c3e7dab9102891a07e725a983fa7.tar.bz2 bugzilla-d096b205bd98c3e7dab9102891a07e725a983fa7.zip | |
Bug 913904: (CVE-2013-1734) [SECURITY] CSRF when updating attachments
r=dkl a=sgreen
| -rwxr-xr-x | attachment.cgi | 19 | ||||
| -rw-r--r-- | template/en/default/global/code-error.html.tmpl | 4 |
2 files changed, 15 insertions, 8 deletions
diff --git a/attachment.cgi b/attachment.cgi index 47077f127..2706cde24 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -676,20 +676,23 @@ sub update { $attachment->set_filename(scalar $cgi->param('filename')); # Now make sure the attachment has not been edited since we loaded the page. - if (defined $cgi->param('delta_ts') - && $cgi->param('delta_ts') ne $attachment->modification_time) - { - ($vars->{'operations'}) = - Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts')); + my $delta_ts = $cgi->param('delta_ts'); + my $modification_time = $attachment->modification_time; - # The token contains the old modification_time. We need a new one. - $cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time])); + if ($delta_ts && $delta_ts ne $modification_time) { + datetime_from($delta_ts) + or ThrowCodeError('invalid_timestamp', { timestamp => $delta_ts }); + ($vars->{'operations'}) = + Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $delta_ts); # If the modification date changed but there is no entry in # the activity table, this means someone commented only. # In this case, there is no reason to midair. if (scalar(@{$vars->{'operations'}})) { - $cgi->param('delta_ts', $attachment->modification_time); + $cgi->param('delta_ts', $modification_time); + # The token contains the old modification_time. We need a new one. + $cgi->param('token', issue_hash_token([$attachment->id, $modification_time])); + $vars->{'attachment'} = $attachment; print $cgi->header(); diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl index 3c4c68bf4..c1d35290c 100644 --- a/template/en/default/global/code-error.html.tmpl +++ b/template/en/default/global/code-error.html.tmpl @@ -242,6 +242,10 @@ The series_id [% series_id FILTER html %] is not valid. It may be that this series has been deleted. + [% ELSIF error == "invalid_timestamp" %] + The entered timestamp <code>[% timestamp FILTER html %]</code> could not + be parsed into a valid date and time. + [% ELSIF error == "invalid_webservergroup" %] There is no such group: [% group FILTER html %]. Check your $webservergroup setting in [% constants.bz_locations.localconfig FILTER html %]. |