Bug 75890 - CVE-2011-3669 (https://bugzilla.mozilla.org/show_bug.cgi?id=703983)

git-svn-id: svn://svn.office.custis.ru/3rdparty/bugzilla.org/trunk@1499 6955db30-a419-402b-8a0d-67ecbb4d7f56

Bugzilla/Token.pm

@@ -371,9 +371,10 @@ sub check_token_data {
     my $cgi = Bugzilla->cgi;
 
     my ($creator_id, $date, $token_action) = GetTokenData($token);
-    unless ($creator_id
-            && $creator_id == $user->id
-            && $token_action eq $expected_action)
+    my $valid_action = ref $expected_action eq 'Regexp'
+        ? $token_action =~ $expected_action
+        : $token_action eq $expected_action;
+    unless ($creator_id && $creator_id == $user->id && $valid_action)
     {
         # Something is going wrong. Ask confirmation before processing.
         # It is possible that someone tried to trick an administrator.

attachment.cgi

@@ -457,25 +457,16 @@ sub insert
 
     # Detect if the user already used the same form to submit an attachment
     my $token = trim($cgi->param('token'));
-    if ($token) {
-        my ($creator_id, $date, $old_attach_id) = Bugzilla::Token::GetTokenData($token);
-        unless ($creator_id
-            && ($creator_id == $user->id)
-                && ($old_attach_id =~ "^create_attachment:"))
-        {
-            # The token is invalid.
-            ThrowUserError('token_does_not_exist');
-        }
+    check_token_data($token, qr/^create_attachment:/s, 'index.cgi');
 
-        $old_attach_id =~ s/^create_attachment://;
-
-        if ($old_attach_id) {
-            $vars->{'bugid'} = $bugid;
-            $vars->{'attachid'} = $old_attach_id;
-            $template->process("attachment/cancel-create-dupe.html.tmpl", $vars)
-                || ThrowTemplateError($template->error());
-            exit;
-        }
+    my (undef, undef, $old_attach_id) = Bugzilla::Token::GetTokenData($token);
+    $old_attach_id =~ s/^create_attachment://;
+    if ($old_attach_id) {
+        $vars->{'bugid'} = $bugid;
+        $vars->{'attachid'} = $old_attach_id;
+        $template->process("attachment/cancel-create-dupe.html.tmpl", $vars)
+            || ThrowTemplateError($template->error());
+        exit;
     }
 
     # Check attachments the user tries to mark as obsolete.

template/en/default/attachment/cancel-create-dupe.html.tmpl

@@ -29,18 +29,17 @@
 
 <table cellpadding="20">
   <tr>
-    <td bgcolor="#ff0000">
+    <td style="background: #ffe0e0; border: 10px solid red">
       <font size="+2">
         You already used the form to file
         <a href="[% urlbase FILTER html %]attachment.cgi?id=[% attachid FILTER url_quote %]&action=edit">attachment [% attachid FILTER url_quote %]</a>.
       </font>
+      <p style="margin-bottom: 0">
+        You can either <a href="[% urlbase FILTER html %]attachment.cgi?bugid=[% bugid FILTER url_quote %]&action=enter">
+        create a new attachment</a> or [% "go back to $terms.bug $bugid" FILTER bug_link(bugid) FILTER none %].
+      </p>
     </td>
   </tr>
 </table>
 
-<p>
-  You can either <a href="[% urlbase FILTER html %]attachment.cgi?bugid=[% bugid FILTER url_quote %]&action=enter">
-  create a new attachment</a> or [% "go back to $terms.bug $bugid" FILTER bug_link(bugid) FILTER none %].
-<p>
-
 [% PROCESS global/footer.html.tmpl %]