Bug 532518: Credentials are not checked correctly when viewing one attachment…

Bug 532518: Credentials are not checked correctly when viewing one attachment from another bug's alternate host - Patch by FrÃ©dÃ©ric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit

Bug 532518: Credentials are not checked correctly when viewing one attachment…
8ae3947f · lpsolit%gmail.com · 202d74c2 · 8ae3947f
Commit 8ae3947f authored Dec 30, 2009 by lpsolit%gmail.com
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 21 deletions

attachment.cgi attachment.cgi +28 -21

No files found.
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -249,8 +249,34 @@ sub view {

        # Make sure the attachment is served from the correct server.
        my $bug_id = $attachment->bug_id;
-        if (!$cgi->url_is_attachment_base($bug_id)) {
-            # We couldn't call Bugzilla->login earlier as we first had to 
+        if ($cgi->url_is_attachment_base($bug_id)) {
+            # No need to validate the token for public attachments. We cannot request
+            # credentials as we are on the alternate host.
+            if (!attachmentIsPublic($attachment)) {
+                my $token = $cgi->param('t');
+                my ($userid, undef, $token_attach_id) = Bugzilla::Token::GetTokenData($token);
+                unless ($userid
+                        && detaint_natural($token_attach_id)
+                        && ($token_attach_id == $attachment->id))
+                {
+                    # Not a valid token.
+                    print $cgi->redirect('-location' => correct_urlbase() . $path);
+                    exit;
+                }
+                # Change current user without creating cookies.
+                Bugzilla->set_user(new Bugzilla::User($userid));
+                # Tokens are single use only, delete it.
+                delete_token($token);
+            }
+        }
+        elsif ($cgi->url_is_attachment_base) {
+            # If we come here, this means that each bug has its own host
+            # for attachments, and that we are trying to view one attachment
+            # using another bug's host. That's not desired.
+            $cgi->redirect_to_urlbase;
+        }
+        else {
+            # We couldn't call Bugzilla->login earlier as we first had to
            # make sure we were not going to request credentials on the
            # alternate host.
            Bugzilla->login();
@@ -270,25 +296,6 @@ sub view {
                print $cgi->redirect(-location => $attachbase . "$path&t=$token");
                exit;
            }
-        } else {
-            # No need to validate the token for public attachments. We cannot request
-            # credentials as we are on the alternate host.
-            if (!attachmentIsPublic($attachment)) {
-                my $token = $cgi->param('t');
-                my ($userid, undef, $token_attach_id) = Bugzilla::Token::GetTokenData($token);
-                unless ($userid
-                        && detaint_natural($token_attach_id)
-                        && ($token_attach_id == $attachment->id))
-                {
-                    # Not a valid token.
-                    print $cgi->redirect('-location' => correct_urlbase() . $path);
-                    exit;
-                }
-                # Change current user without creating cookies.
-                Bugzilla->set_user(new Bugzilla::User($userid));
-                # Tokens are single use only, delete it.
-                delete_token($token);
-            }
        }
    } else {
        do_ssl_redirect_if_required();