]> git.ipfire.org Git - thirdparty/bugzilla.git/commitdiff
projects / thirdparty / bugzilla.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4d95649)
Bug 1252216 - Push extension configuration is vulnerable to CSRF and potentially...
authorDavid Lawrence <dkl@mozilla.com>
Tue, 1 Mar 2016 13:13:53 +0000 (08:13 -0500)
committerDylan Hardison <dylan@mozilla.com>
Tue, 1 Mar 2016 13:21:23 +0000 (08:21 -0500)
extensions/Push/lib/Admin.pm patch | blob | blame | history
extensions/Push/lib/Connector/File.pm patch | blob | blame | history
extensions/Push/template/en/default/pages/push_config.html.tmpl patch | blob | blame | history

diff --git a/extensions/Push/lib/Admin.pm b/extensions/Push/lib/Admin.pm
index f579409bd7e8e72a1fc5ee8190a374bffc801c3f..e11415ea69c1c73ec8b2c716b73a4ed41608c980 100644 (file)
--- a/extensions/Push/lib/Admin.pm
+++ b/extensions/Push/lib/Admin.pm
@@ -13,6 +13,7 @@ use warnings;
 use Bugzilla;
 use Bugzilla::Error;
 use Bugzilla::Extension::Push::Util;
+use Bugzilla::Token qw(check_hash_token delete_token);
 use Bugzilla::Util qw(trim detaint_natural trick_taint);
 
 use base qw(Exporter);
@@ -28,6 +29,9 @@ sub admin_config {
     my $input = Bugzilla->input_params;
 
     if ($input->{save}) {
+        my $token = $input->{token};
+        check_hash_token($token, ['push_config']);
+        delete_token($token);
         my $dbh = Bugzilla->dbh;
         $dbh->bz_start_transaction();
         _update_config_from_form('global', $push->config);
diff --git a/extensions/Push/lib/Connector/File.pm b/extensions/Push/lib/Connector/File.pm
index 2a8f4193d1e845532acc12259bf403953d322657..563a78567a635e467dfa1a77dcd642cfa1d71d52 100644 (file)
--- a/extensions/Push/lib/Connector/File.pm
+++ b/extensions/Push/lib/Connector/File.pm
@@ -34,6 +34,8 @@ sub options {
                 my $filename = shift;
                 $filename =~ m#^/#
                     && die "Absolute paths are not permitted\n";
+                $filename =~ m#\.\.#
+                    && die "Relative paths are not permitted\n";
             },
         },
     );
diff --git a/extensions/Push/template/en/default/pages/push_config.html.tmpl b/extensions/Push/template/en/default/pages/push_config.html.tmpl
index 6e6507a399e63fe75314f56354a94c20ea737bac..3783ecad66f853ecea6804986cd195d9d455d9cf 100644 (file)
--- a/extensions/Push/template/en/default/pages/push_config.html.tmpl
+++ b/extensions/Push/template/en/default/pages/push_config.html.tmpl
@@ -31,6 +31,7 @@ var push_defaults = new Array();
 <form method="POST" action="page.cgi">
 <input type="hidden" name="id" value="push_config.html">
 <input type="hidden" name="save" value="1">
+<input type="hidden" id="token" name="token" value="[% issue_hash_token(['push_config']) FILTER html %]">
 
 <table border="0" cellspacing="0" cellpadding="5" width="100%">
 
Mirror of https://github.com/bugzilla/bugzilla.git