From: David Lawrence Date: Tue, 8 Mar 2016 14:26:33 +0000 (+0000) Subject: Bug 1252445 - Tracking flags configuration is vulnerable to CSRF and causes persisten... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=02aa6ce0a7cd9ef14079a5ee22c175ff9d16ed58;p=thirdparty%2Fbugzilla.git Bug 1252445 - Tracking flags configuration is vulnerable to CSRF and causes persistent XSS --- diff --git a/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl b/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl index f70e77bb1..84efbd077 100644 --- a/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl +++ b/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl @@ -77,7 +77,8 @@ [%# add tracking flags json if available %] [% IF tracking_flags %] [% javascript_urls.push("extensions/TrackingFlags/web/js/tracking_flags.js") %] - TrackingFlags = [% tracking_flags_json FILTER none %]; + var tracking_flags_str = "[% tracking_flags_json FILTER js %]"; + var TrackingFlags = $.parseJSON(tracking_flags_str); [% END %] [%# update last-visited %] diff --git a/extensions/TrackingFlags/lib/Admin.pm b/extensions/TrackingFlags/lib/Admin.pm index 1bae18ef8..542e990d5 100644 --- a/extensions/TrackingFlags/lib/Admin.pm +++ b/extensions/TrackingFlags/lib/Admin.pm @@ -1,4 +1,4 @@ -# This Source Code Form is subject to the terms of the Mozilla Public +#d This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. # @@ -15,6 +15,7 @@ use Bugzilla::Component; use Bugzilla::Error; use Bugzilla::Group; use Bugzilla::Product; +use Bugzilla::Token qw(check_hash_token delete_token); use Bugzilla::Util qw(trim detaint_natural); use Bugzilla::Extension::TrackingFlags::Constants; @@ -52,6 +53,10 @@ sub admin_edit { $vars->{tracking_flag_types} = FLAG_TYPES; if ($input->{delete}) { + my $token = $input->{token}; + check_hash_token($token, ['tracking_flags_edit']); + delete_token($token); + my $flag = Bugzilla::Extension::TrackingFlags::Flag->new($vars->{flag_id}) || ThrowCodeError('tracking_flags_invalid_item_id', { item => 'flag', id => $vars->{flag_id} }); $flag->remove_from_db(); @@ -67,7 +72,9 @@ sub admin_edit { exit; } elsif ($input->{save}) { - # save + my $token = $input->{token}; + check_hash_token($token, ['tracking_flags_edit']); + delete_token($token); my ($flag, $values, $visibilities) = _load_from_input($input, $vars); _validate($flag, $values, $visibilities); diff --git a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl index 4e2c97dfa..efce91cfe 100644 --- a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl +++ b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl @@ -58,5 +58,6 @@ [% END %] diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl index 53f80a885..a29357b11 100644 --- a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl +++ b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl @@ -30,7 +30,8 @@ diff --git a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl index 60406490f..e381c4f1c 100644 --- a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl +++ b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl @@ -30,9 +30,12 @@ var selected_components = [ %]
@@ -50,6 +53,7 @@ var selected_components = [ + [%# name/desc/etc %]