Commit 09894bd5 authored by Frédéric Buclin's avatar Frédéric Buclin

Bug 913904: (CVE-2013-1734) [SECURITY] CSRF when updating attachments

r=dkl a=sgreen
parent 8563e395
......@@ -648,19 +648,22 @@ sub update {
$attachment->set_filename(scalar $cgi->param('filename'));
# Now make sure the attachment has not been edited since we loaded the page.
if (defined $cgi->param('delta_ts')
&& $cgi->param('delta_ts') ne $attachment->modification_time)
{
($vars->{'operations'}) = $bug->get_activity($attachment->id, $cgi->param('delta_ts'));
my $delta_ts = $cgi->param('delta_ts');
my $modification_time = $attachment->modification_time;
# The token contains the old modification_time. We need a new one.
$cgi->param('token', issue_hash_token([$attachment->id, $attachment->modification_time]));
if ($delta_ts && $delta_ts ne $modification_time) {
datetime_from($delta_ts)
or ThrowCodeError('invalid_timestamp', { timestamp => $delta_ts });
($vars->{'operations'}) = $bug->get_activity($attachment->id, $delta_ts);
# If the modification date changed but there is no entry in
# the activity table, this means someone commented only.
# In this case, there is no reason to midair.
if (scalar(@{$vars->{'operations'}})) {
$cgi->param('delta_ts', $attachment->modification_time);
$cgi->param('delta_ts', $modification_time);
# The token contains the old modification_time. We need a new one.
$cgi->param('token', issue_hash_token([$attachment->id, $modification_time]));
$vars->{'attachment'} = $attachment;
print $cgi->header();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment