aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2011-11-22 22:03:28 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2011-11-22 22:03:28 +0100
commit92cb17e05cecb4093ee9e189347ba66b8844528a (patch)
tree7129cf8b6398e67276a17856804d4a157c4b7fa1 /post_bug.cgi
parentBug 680771 - Send X-XSS-Protection header for XSS prevention/blocking (diff)
downloadbugzilla-92cb17e05cecb4093ee9e189347ba66b8844528a.tar.gz
bugzilla-92cb17e05cecb4093ee9e189347ba66b8844528a.tar.bz2
bugzilla-92cb17e05cecb4093ee9e189347ba66b8844528a.zip
Bug 703975: CSRF vulnerability in post_bug.cgi allows possible unauthorized bug creation
r=mkanat a=LpSolit
Diffstat (limited to 'post_bug.cgi')
-rwxr-xr-xpost_bug.cgi35
1 files changed, 4 insertions, 31 deletions
diff --git a/post_bug.cgi b/post_bug.cgi
index 6ca46fb3c..c0878b0da 100755
--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -62,30 +62,7 @@ unless ($cgi->param()) {
# Detect if the user already used the same form to submit a bug
my $token = trim($cgi->param('token'));
-if ($token) {
- my ($creator_id, $date, $old_bug_id) = Bugzilla::Token::GetTokenData($token);
- unless ($creator_id
- && ($creator_id == $user->id)
- && ($old_bug_id =~ "^createbug:"))
- {
- # The token is invalid.
- ThrowUserError('token_does_not_exist');
- }
-
- $old_bug_id =~ s/^createbug://;
-
- if ($old_bug_id && (!$cgi->param('ignore_token')
- || ($cgi->param('ignore_token') != $old_bug_id)))
- {
- $vars->{'bugid'} = $old_bug_id;
- $vars->{'allow_override'} = defined $cgi->param('ignore_token') ? 0 : 1;
-
- print $cgi->header();
- $template->process("bug/create/confirm-create-dupe.html.tmpl", $vars)
- || ThrowTemplateError($template->error());
- exit;
- }
-}
+check_token_data($token, 'create_bug', 'index.cgi');
# do a match on the fields if applicable
Bugzilla::User::match_field ({
@@ -169,8 +146,10 @@ foreach my $field (@multi_selects) {
my $bug = Bugzilla::Bug->create(\%bug_params);
-# Get the bug ID back.
+# Get the bug ID back and delete the token used to create this bug.
my $id = $bug->bug_id;
+delete_token($token);
+
# We do this directly from the DB because $bug->creation_ts has the seconds
# formatted out of it (which should be fixed some day).
my $timestamp = $dbh->selectrow_array(
@@ -243,12 +222,6 @@ Bugzilla::Hook::process('post_bug_after_creation', { vars => $vars });
ThrowCodeError("bug_error", { bug => $bug }) if $bug->error;
-if ($token) {
- trick_taint($token);
- $dbh->do('UPDATE tokens SET eventdata = ? WHERE token = ?', undef,
- ("createbug:$id", $token));
-}
-
my $recipients = { changer => $user };
my $bug_sent = Bugzilla::BugMail::Send($id, $recipients);
$bug_sent->{type} = 'created';