Bug 703975: CSRF vulnerability in post_bug.cgi allows possible unauthorized bug creation

r=mkanat a=LpSolit

Bug 703975: CSRF vulnerability in post_bug.cgi allows possible unauthorized bug creation
92cb17e0 · Frédéric Buclin · 92308c08 · 92cb17e0 · 92cb17e0 · 92cb17e0
Commit 92cb17e0 authored Nov 22, 2011 by Frédéric Buclin
Showing with 8 additions and 89 deletions

enter_bug.cgi enter_bug.cgi +1 -1

post_bug.cgi post_bug.cgi +4 -31

process_bug.cgi process_bug.cgi +3 -0

confirm-create-dupe.html.tmpl template/en/default/bug/create/confirm-create-dupe.html.tmpl +0 -57

No files found.
--- a/enter_bug.cgi
+++ b/enter_bug.cgi
@@ -207,7 +207,7 @@ $vars->{'qa_contact_disabled'}  = !$has_editbugs;

 $vars->{'cloned_bug_id'}         = $cloned_bug_id;

-$vars->{'token'}             = issue_session_token('createbug:');
+$vars->{'token'} = issue_session_token('create_bug');


 my @enter_bug_fields = grep { $_->enter_bug } Bugzilla->active_custom_fields;

--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -62,30 +62,7 @@ unless ($cgi->param()) {

 # Detect if the user already used the same form to submit a bug
 my $token = trim($cgi->param('token'));
-if ($token) {
-    my ($creator_id, $date, $old_bug_id) = Bugzilla::Token::GetTokenData($token);
-    unless ($creator_id
-              && ($creator_id == $user->id)
-              && ($old_bug_id =~ "^createbug:"))
-    {
-        # The token is invalid.
-        ThrowUserError('token_does_not_exist');
-    }
-
-    $old_bug_id =~ s/^createbug://;
-
-    if ($old_bug_id && (!$cgi->param('ignore_token')
-                        || ($cgi->param('ignore_token') != $old_bug_id)))
-    {
-        $vars->{'bugid'} = $old_bug_id;
-        $vars->{'allow_override'} = defined $cgi->param('ignore_token') ? 0 : 1;
-
-        print $cgi->header();
-        $template->process("bug/create/confirm-create-dupe.html.tmpl", $vars)
-           || ThrowTemplateError($template->error());
-        exit;
-    }
-}    
+check_token_data($token, 'create_bug', 'index.cgi');

 # do a match on the fields if applicable
 Bugzilla::User::match_field ({
@@ -169,8 +146,10 @@ foreach my $field (@multi_selects) {

 my $bug = Bugzilla::Bug->create(\%bug_params);

-# Get the bug ID back.
+# Get the bug ID back and delete the token used to create this bug.
 my $id = $bug->bug_id;
+delete_token($token);
+
 # We do this directly from the DB because $bug->creation_ts has the seconds
 # formatted out of it (which should be fixed some day).
 my $timestamp = $dbh->selectrow_array(
@@ -243,12 +222,6 @@ Bugzilla::Hook::process('post_bug_after_creation', { vars => $vars });

 ThrowCodeError("bug_error", { bug => $bug }) if $bug->error;

-if ($token) {
-    trick_taint($token);
-    $dbh->do('UPDATE tokens SET eventdata = ? WHERE token = ?', undef, 
-             ("createbug:$id", $token));
-}
-
 my $recipients = { changer => $user };
 my $bug_sent = Bugzilla::BugMail::Send($id, $recipients);
 $bug_sent->{type} = 'created';

--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -376,6 +376,9 @@ foreach my $bug (@bug_objects) {
    $bug->send_changes($changes, $vars);
 }

+# Delete the session token used for the mass-change.
+delete_token($token) unless $cgi->param('id');
+
 if (Bugzilla->usage_mode == USAGE_MODE_EMAIL) {
    # Do nothing.
 }

--- a/template/en/default/bug/create/confirm-create-dupe.html.tmpl
+++ b/template/en/default/bug/create/confirm-create-dupe.html.tmpl
-[%# The contents of this file are subject to the Mozilla Public
-  # License Version 1.1 (the "License"); you may not use this file
-  # except in compliance with the License. You may obtain a copy of
-  # the License at http://www.mozilla.org/MPL/
-  #
-  # Software distributed under the License is distributed on an "AS
-  # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-  # implied. See the License for the specific language governing
-  # rights and limitations under the License.
-  #
-  # The Original Code is the Bugzilla Bug Tracking System.
-  #
-  # The Initial Developer of the Original Code is Olav Vitters.
-  #
-  # Contributor(s): Olav Vitters <olav@bkor.dhs.org>
-  #%]
-
-[%# INTERFACE:
-  # bugid: integer. ID of the bug previously used to create a bug.
-  # allow_override: boolean int. Is 1 if the user may submit the bug again.
-  #%]
-
-[% PROCESS "global/field-descs.none.tmpl" %]
-
-[% PROCESS global/header.html.tmpl
-  title = "Already filed $terms.bug"
-%]
-
-[% USE Bugzilla %]
-
-<table cellpadding="20">
-  <tr>
-    <td bgcolor="#ff0000">
-      <font size="+2">
-        You already used the form to file [% "$terms.bug $bugid" FILTER bug_link(bugid) FILTER none %].
-      </font>
-    </td>
-  </tr>
-</table>
-
-<p><font size="big">You are highly encouraged to visit [% "$terms.bug $bugid"
-FILTER bug_link(bugid) FILTER none %].</font></p>
-
-[% IF allow_override %]
-  <p>If you are sure you used the same form to submit a new [% terms.bug %],
-  click 'File [% terms.bug %] again'.<p>
-
-  <form name="create" id="create" method="post" action="post_bug.cgi"
-  [%- IF Bugzilla.cgi.param("data") %] enctype="multipart/form-data"[% END %]>
-    [% PROCESS "global/hidden-fields.html.tmpl"
-               exclude="^(Bugzilla_login|Bugzilla_password|ignore_token)$" %]
-    <input type="hidden" name="ignore_token" value="[% bugid FILTER html %]">
-    <input type="submit" value="File [% terms.bug %] again" id="file_bug_again">
-  </form>
-[% END %]
-
-[% PROCESS global/footer.html.tmpl %]