diff options
| author |   reed%reedloden.com <> | 2009-03-30 21:02:33 +0000 |
|---|---|---|
| committer | reed%reedloden.com <> | 2009-03-30 21:02:33 +0000 |
| commit | d9041c3f97422fb377c3e8d20129f4ef8517f833 (patch) | |
| tree | 005886bc062295c4050a17c8c7b45331f9fd01fe /attachment.cgi | |
| parent | Bug 485845: Release Notes for Bugzilla 3.2.3 (diff) | |
| download | bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.gz bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.tar.bz2 bugzilla-d9041c3f97422fb377c3e8d20129f4ef8517f833.zip | |
Bug 476603 - "[SECURITY] Editing attachments doesn't have any CSRF protection" [p=reed r=LpSolit a=LpSolit]
Diffstat (limited to 'attachment.cgi')
| -rwxr-xr-x | attachment.cgi | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/attachment.cgi b/attachment.cgi index 16615abae..45d4d7fda 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -565,6 +565,9 @@ sub update { ($vars->{'operations'}) = Bugzilla::Bug::GetBugActivity($bug->id, $attachment->id, $cgi->param('delta_ts')); + # The token contains the old modification_time. We need a new one. + $cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time])); + # If the modification date changed but there is no entry in # the activity table, this means someone commented only. # In this case, there is no reason to midair. @@ -579,6 +582,12 @@ sub update { exit; } } + + # We couldn't do this check earlier as we first had to validate attachment ID + # and display the mid-air collision page if modification_time changed. + my $token = $cgi->param('token'); + check_hash_token($token, [$attachment->id, $attachment->modification_time]); + # If the submitter of the attachment is not in the insidergroup, # be sure that he cannot overwrite the private bit. # This check must be done before calling Bugzilla::Flag*::validate(), |