Bommels05/Mozilla
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 26257: [SECURITY] Bugzilla should prevent malicious webpages from making bugzilla users submit changes to bugs - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit

Browse Source 
git-svn-id: svn://10.0.0.236/trunk@256020 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
lpsolit%gmail.com
2009-02-02 18:34:40 +00:00
parent e169326a2d
commit a78c19e2bb
9 changed files with 98 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
mozilla/webtools/bugzilla/process_bug.cgi
View File

@@ -59,6 +59,7 @@ use Bugzilla::Component;
use Bugzilla::Keyword;
use Bugzilla::Flag;
use Bugzilla::Status;
use Bugzilla::Token;
use Storable qw(dclone);
@@ -158,10 +159,6 @@ if (defined $cgi->param('dontchange')) {
# reference to flags if $cgi->param('id') is undefined.
Bugzilla::Flag::validate($cgi->param('id'));
######################################################################
# End Data/Security Validation
######################################################################
print $cgi->header() unless Bugzilla->usage_mode == USAGE_MODE_EMAIL;
# Check for a mid-air collision. Currently this only works when updating
@@ -184,6 +181,8 @@ if (defined $cgi->param('delta_ts')
$vars->{'comments'} = Bugzilla::Bug::GetComments($first_bug->id,
"oldest_to_newest");
$vars->{'bug'} = $first_bug;
# The token contains the old delta_ts. We need a new one.
$cgi->param('token', issue_hash_token([$first_bug->id, $first_bug->delta_ts]));
# Warn the user about the mid-air collision and ask them what to do.
$template->process("bug/process/midair.html.tmpl", $vars)
@@ -191,6 +190,22 @@ if (defined $cgi->param('delta_ts')
exit;
}
# We couldn't do this check earlier as we first had to validate bug IDs
# and display the mid-air collision page if delta_ts changed.
# If we do a mass-change, we use session tokens.
my $token = $cgi->param('token');
if ($cgi->param('id')) {
check_hash_token($token, [$first_bug->id, $first_bug->delta_ts]);
}
else {
check_token_data($token, 'buglist_mass_change', 'query.cgi');
}
######################################################################
# End Data/Security Validation
######################################################################
$vars->{'title_tag'} = "bug_processed";
# Set up the vars for navigational <link> elements