Bug 75890 - CVE-2011-3668 (https://bugzilla.mozilla.org/show_bug.cgi?id=703975)

git-svn-id: svn://svn.office.custis.ru/3rdparty/bugzilla.org/trunk@1500 6955db30-a419-402b-8a0d-67ecbb4d7f56
2012-01-13 11:42:42 +00:00 · 2012-01-13 11:42:42 +00:00 · fb92b323e7
parent ff8fe56d5e
commit fb92b323e7
2 changed files with 12 additions and 22 deletions
--- a/attachment.cgi
+++ b/attachment.cgi
@ -457,7 +457,7 @@ sub insert

    # Detect if the user already used the same form to submit an attachment
    my $token = trim($cgi->param('token'));
-    check_token_data($token, qr/^create_attachment:/s, 'index.cgi');
+    check_token_data($token, qr/^create_attachment:/s, "show_bug.cgi?id=$bugid");

    my (undef, undef, $old_attach_id) = Bugzilla::Token::GetTokenData($token);
    $old_attach_id =~ s/^create_attachment://;
--- a/post_bug.cgi
+++ b/post_bug.cgi
@ -60,29 +60,19 @@ print $cgi->redirect(correct_urlbase() . 'enter_bug.cgi') unless $cgi->param();

 # Detect if the user already used the same form to submit a bug
 my $token = trim($cgi->param('token'));
-if ($token) {
-    my ($creator_id, $date, $old_bug_id) = Bugzilla::Token::GetTokenData($token);
-    unless ($creator_id
-              && ($creator_id == $user->id)
-              && ($old_bug_id =~ "^createbug:"))
-    {
-        # The token is invalid.
-        ThrowUserError('token_does_not_exist');
-    }
+check_token_data($token, qr/^createbug:/s, 'enter_bug.cgi');

-    $old_bug_id =~ s/^createbug://;
+my (undef, undef, $old_bug_id) = Bugzilla::Token::GetTokenData($token);
+$old_bug_id =~ s/^createbug://;
+if ($old_bug_id)
+{
+    $vars->{bugid} = $old_bug_id;
+    $vars->{allow_override} = defined $cgi->param('ignore_token') ? 0 : 1;
+    $vars->{new_token} = issue_session_token('createbug:');

-    if ($old_bug_id && (!$cgi->param('ignore_token')
-                        || ($cgi->param('ignore_token') != $old_bug_id)))
-    {
-        $vars->{bugid} = $old_bug_id;
-        $vars->{allow_override} = defined $cgi->param('ignore_token') ? 0 : 1;
-        $vars->{new_token} = issue_session_token('createbug:');
-
-        $template->process("bug/create/confirm-create-dupe.html.tmpl", $vars)
-           || ThrowTemplateError($template->error());
-        exit;
-    }
+    $template->process("bug/create/confirm-create-dupe.html.tmpl", $vars)
+       || ThrowTemplateError($template->error());
+    exit;
 }

 # do a match on the fields if applicable