aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2013-10-16 19:08:20 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2013-10-16 19:08:20 +0200
commit2a3d79afa020dc49b0e2016b4015cdc94b74eec4 (patch)
tree06f7851fff5fe530d83b8ca2b96d74c7a9a9d911
parentBug 906745 - In MySQL, tokens are not case-sensitive, reducing total entropy ... (diff)
downloadbugzilla-2a3d79afa020dc49b0e2016b4015cdc94b74eec4.tar.gz
bugzilla-2a3d79afa020dc49b0e2016b4015cdc94b74eec4.tar.bz2
bugzilla-2a3d79afa020dc49b0e2016b4015cdc94b74eec4.zip
Bug 913904: (CVE-2013-1734) [SECURITY] CSRF when updating attachments
r=dkl a=sgreen
-rwxr-xr-xattachment.cgi19
1 files changed, 11 insertions, 8 deletions
diff --git a/attachment.cgi b/attachment.cgi
index 64f78dc36..0078a4c16 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -661,20 +661,23 @@ sub update {
$attachment->set_filename(scalar $cgi->param('filename'));
# Now make sure the attachment has not been edited since we loaded the page.
- if (defined $cgi->param('delta_ts')
- && $cgi->param('delta_ts') ne $attachment->modification_time)
- {
- ($vars->{'operations'}) =
- Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts'));
+ my $delta_ts = $cgi->param('delta_ts');
+ my $modification_time = $attachment->modification_time;
- # The token contains the old modification_time. We need a new one.
- $cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time]));
+ if ($delta_ts && $delta_ts ne $modification_time) {
+ datetime_from($delta_ts)
+ or ThrowCodeError('invalid_timestamp', { timestamp => $delta_ts });
+ ($vars->{'operations'}) =
+ Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $delta_ts);
# If the modification date changed but there is no entry in
# the activity table, this means someone commented only.
# In this case, there is no reason to midair.
if (scalar(@{$vars->{'operations'}})) {
- $cgi->param('delta_ts', $attachment->modification_time);
+ $cgi->param('delta_ts', $modification_time);
+ # The token contains the old modification_time. We need a new one.
+ $cgi->param('token', issue_hash_token([$attachment->id, $modification_time]));
+
$vars->{'attachment'} = $attachment;
print $cgi->header();