Bug 75890 - CVE-2011-3669 (https://bugzilla.mozilla.org/show_bug.cgi?id=703983)
git-svn-id: svn://svn.office.custis.ru/3rdparty/bugzilla.org/trunk@1499 6955db30-a419-402b-8a0d-67ecbb4d7f56master
parent
81db720a3e
commit
ff8fe56d5e
|
@ -371,9 +371,10 @@ sub check_token_data {
|
|||
my $cgi = Bugzilla->cgi;
|
||||
|
||||
my ($creator_id, $date, $token_action) = GetTokenData($token);
|
||||
unless ($creator_id
|
||||
&& $creator_id == $user->id
|
||||
&& $token_action eq $expected_action)
|
||||
my $valid_action = ref $expected_action eq 'Regexp'
|
||||
? $token_action =~ $expected_action
|
||||
: $token_action eq $expected_action;
|
||||
unless ($creator_id && $creator_id == $user->id && $valid_action)
|
||||
{
|
||||
# Something is going wrong. Ask confirmation before processing.
|
||||
# It is possible that someone tried to trick an administrator.
|
||||
|
|
|
@ -457,25 +457,16 @@ sub insert
|
|||
|
||||
# Detect if the user already used the same form to submit an attachment
|
||||
my $token = trim($cgi->param('token'));
|
||||
if ($token) {
|
||||
my ($creator_id, $date, $old_attach_id) = Bugzilla::Token::GetTokenData($token);
|
||||
unless ($creator_id
|
||||
&& ($creator_id == $user->id)
|
||||
&& ($old_attach_id =~ "^create_attachment:"))
|
||||
{
|
||||
# The token is invalid.
|
||||
ThrowUserError('token_does_not_exist');
|
||||
}
|
||||
check_token_data($token, qr/^create_attachment:/s, 'index.cgi');
|
||||
|
||||
$old_attach_id =~ s/^create_attachment://;
|
||||
|
||||
if ($old_attach_id) {
|
||||
$vars->{'bugid'} = $bugid;
|
||||
$vars->{'attachid'} = $old_attach_id;
|
||||
$template->process("attachment/cancel-create-dupe.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
exit;
|
||||
}
|
||||
my (undef, undef, $old_attach_id) = Bugzilla::Token::GetTokenData($token);
|
||||
$old_attach_id =~ s/^create_attachment://;
|
||||
if ($old_attach_id) {
|
||||
$vars->{'bugid'} = $bugid;
|
||||
$vars->{'attachid'} = $old_attach_id;
|
||||
$template->process("attachment/cancel-create-dupe.html.tmpl", $vars)
|
||||
|| ThrowTemplateError($template->error());
|
||||
exit;
|
||||
}
|
||||
|
||||
# Check attachments the user tries to mark as obsolete.
|
||||
|
|
|
@ -29,18 +29,17 @@
|
|||
|
||||
<table cellpadding="20">
|
||||
<tr>
|
||||
<td bgcolor="#ff0000">
|
||||
<td style="background: #ffe0e0; border: 10px solid red">
|
||||
<font size="+2">
|
||||
You already used the form to file
|
||||
<a href="[% urlbase FILTER html %]attachment.cgi?id=[% attachid FILTER url_quote %]&action=edit">attachment [% attachid FILTER url_quote %]</a>.
|
||||
</font>
|
||||
<p style="margin-bottom: 0">
|
||||
You can either <a href="[% urlbase FILTER html %]attachment.cgi?bugid=[% bugid FILTER url_quote %]&action=enter">
|
||||
create a new attachment</a> or [% "go back to $terms.bug $bugid" FILTER bug_link(bugid) FILTER none %].
|
||||
</p>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<p>
|
||||
You can either <a href="[% urlbase FILTER html %]attachment.cgi?bugid=[% bugid FILTER url_quote %]&action=enter">
|
||||
create a new attachment</a> or [% "go back to $terms.bug $bugid" FILTER bug_link(bugid) FILTER none %].
|
||||
<p>
|
||||
|
||||
[% PROCESS global/footer.html.tmpl %]
|
||||
|
|
Loading…
Reference in New Issue