Skip to content

Commit 637fb09

Browse files
LpSolitLpSolit
committed
Bug 911593: (CVE-2013-1733) [SECURITY] CSRF in process_bug.cgi
r=dkl a=sgreen
1 parent e78f6c0 commit 637fb09

1 file changed

Lines changed: 12 additions & 11 deletions

File tree

process_bug.cgi

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -111,25 +111,24 @@ print $cgi->header() unless Bugzilla->usage_mode == USAGE_MODE_EMAIL;
111111

112112
# Check for a mid-air collision. Currently this only works when updating
113113
# an individual bug.
114-
if (defined $cgi->param('delta_ts'))
115-
{
116-
my $delta_ts_z = datetime_from($cgi->param('delta_ts'));
114+
my $delta_ts = $cgi->param('delta_ts');
115+
116+
if ($delta_ts) {
117+
my $delta_ts_z = datetime_from($delta_ts)
118+
or ThrowCodeError('invalid_timestamp', { timestamp => $delta_ts });
119+
117120
my $first_delta_tz_z = datetime_from($first_bug->delta_ts);
118-
if ($first_delta_tz_z ne $delta_ts_z) {
119-
($vars->{'operations'}) = $first_bug->get_activity(undef, $cgi->param('delta_ts'));
120121

121-
ThrowCodeError('undefined_field', { field => 'longdesclength' })
122-
if !defined $cgi->param('longdesclength');
122+
if ($first_delta_tz_z ne $delta_ts_z) {
123+
($vars->{'operations'}) = $first_bug->get_activity(undef, $delta_ts);
123124

124-
my $start_at = $cgi->param('longdesclength');
125+
my $start_at = $cgi->param('longdesclength')
126+
or ThrowCodeError('undefined_field', { field => 'longdesclength' });
125127

126128
# Always sort midair collision comments oldest to newest,
127129
# regardless of the user's personal preference.
128130
my $comments = $first_bug->comments({ order => "oldest_to_newest" });
129131

130-
# The token contains the old delta_ts. We need a new one.
131-
$cgi->param('token', issue_hash_token([$first_bug->id, $first_bug->delta_ts]));
132-
133132
# Show midair if previous changes made other than CC
134133
# and/or one or more comments were made
135134
my $do_midair = scalar @$comments > $start_at ? 1 : 0;
@@ -149,6 +148,8 @@ if (defined $cgi->param('delta_ts'))
149148
$vars->{'start_at'} = $start_at;
150149
$vars->{'comments'} = $comments;
151150
$vars->{'bug'} = $first_bug;
151+
# The token contains the old delta_ts. We need a new one.
152+
$cgi->param('token', issue_hash_token([$first_bug->id, $first_bug->delta_ts]));
152153

153154
# Warn the user about the mid-air collision and ask them what to do.
154155
$template->process("bug/process/midair.html.tmpl", $vars)

0 commit comments

Comments
 (0)