Skip to content

bugzilla
bugzilla
Commit 44341577 authored by lpsolit%gmail.com's avatar lpsolit%gmail.com
Browse files
Options

Bug 466748: [SECURITY] Shared/saved searches can be deleted without user…

Bug 466748: [SECURITY] Shared/saved searches can be deleted without user confirmation using predictable URL - Patch by Fré©ric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
parent 95c875a4
Hide whitespace changes
Inline Side-by-side
Showing with 22 additions and 10 deletions
buglist.cgi
View file @ 44341577
...@@ -290,7 +290,7 @@ sub LookupNamedQuery { ...@@ -290,7 +290,7 @@ sub LookupNamedQuery {
$result $result
|| ThrowUserError("buglist_parameters_required", {'queryname' => $name}); || ThrowUserError("buglist_parameters_required", {'queryname' => $name});
return $result; return wantarray ? ($result, $id) : $result;
} }
# Inserts a Named Query (a "Saved Search") into the database, or # Inserts a Named Query (a "Saved Search") into the database, or
...@@ -448,14 +448,16 @@ $filename =~ s/"/\\"/g; # escape quotes ...@@ -448,14 +448,16 @@ $filename =~ s/"/\\"/g; # escape quotes
# Take appropriate action based on user's request. # Take appropriate action based on user's request.
if ($cgi->param('cmdtype') eq "dorem") { if ($cgi->param('cmdtype') eq "dorem") {
if ($cgi->param('remaction') eq "run") { if ($cgi->param('remaction') eq "run") {
$buffer = LookupNamedQuery(scalar $cgi->param("namedcmd"), my $query_id;
scalar $cgi->param('sharer_id')); ($buffer, $query_id) = LookupNamedQuery(scalar $cgi->param("namedcmd"),
scalar $cgi->param('sharer_id'));
# If this is the user's own query, remember information about it # If this is the user's own query, remember information about it
# so that it can be modified easily. # so that it can be modified easily.
$vars->{'searchname'} = $cgi->param('namedcmd'); $vars->{'searchname'} = $cgi->param('namedcmd');
if (!$cgi->param('sharer_id') || if (!$cgi->param('sharer_id') ||
$cgi->param('sharer_id') == Bugzilla->user->id) { $cgi->param('sharer_id') == Bugzilla->user->id) {
$vars->{'searchtype'} = "saved"; $vars->{'searchtype'} = "saved";
$vars->{'search_id'} = $query_id;
} }
$params = new Bugzilla::CGI($buffer); $params = new Bugzilla::CGI($buffer);
$order = $params->param('order') || $order; $order = $params->param('order') || $order;
...@@ -504,6 +506,10 @@ if ($cgi->param('cmdtype') eq "dorem") { ...@@ -504,6 +506,10 @@ if ($cgi->param('cmdtype') eq "dorem") {
# The user has no query of this name. Play along. # The user has no query of this name. Play along.
} }
else { else {
# Make sure the user really wants to delete his saved search.
my $token = $cgi->param('token');
check_hash_token($token, [$query_id, $qname]);
$dbh->do('DELETE FROM namedqueries $dbh->do('DELETE FROM namedqueries
WHERE id = ?', WHERE id = ?',
undef, $query_id); undef, $query_id);
...@@ -557,9 +563,12 @@ elsif (($cgi->param('cmdtype') eq "doit") && defined $cgi->param('remtype')) { ...@@ -557,9 +563,12 @@ elsif (($cgi->param('cmdtype') eq "doit") && defined $cgi->param('remtype')) {
my %bug_ids; my %bug_ids;
my $is_new_name = 0; my $is_new_name = 0;
if ($query_name) { if ($query_name) {
my ($query, $query_id) =
LookupNamedQuery($query_name, undef, QUERY_LIST, !THROW_ERROR);
# Make sure this name is not already in use by a normal saved search. # Make sure this name is not already in use by a normal saved search.
if (LookupNamedQuery($query_name, undef, QUERY_LIST, !THROW_ERROR)) { if ($query) {
ThrowUserError('query_name_exists', {'name' => $query_name}); ThrowUserError('query_name_exists', {name => $query_name,
query_id => $query_id});
} }
$is_new_name = 1; $is_new_name = 1;
} }
......
template/en/default/account/prefs/saved-searches.html.tmpl
View file @ 44341577
...@@ -108,7 +108,8 @@ ...@@ -108,7 +108,8 @@
Remove from <a href="editwhines.cgi">whining</a> first Remove from <a href="editwhines.cgi">whining</a> first
[% ELSE %] [% ELSE %]
<a href="buglist.cgi?cmdtype=dorem&amp;remaction=forget&amp;namedcmd= <a href="buglist.cgi?cmdtype=dorem&amp;remaction=forget&amp;namedcmd=
[% q.name FILTER url_quote %]">Forget</a> [% q.name FILTER url_quote %]&amp;token=
[% issue_hash_token([q.id, q.name]) FILTER url_quote %]">Forget</a>
[% END %] [% END %]
</td> </td>
<td align="center"> <td align="center">
......
template/en/default/global/user-error.html.tmpl
View file @ 44341577
...@@ -1391,8 +1391,9 @@ ...@@ -1391,8 +1391,9 @@
The name <em>[% name FILTER html %]</em> is already used by another The name <em>[% name FILTER html %]</em> is already used by another
saved search. You first have to saved search. You first have to
<a href="buglist.cgi?cmdtype=dorem&amp;remaction=forget&amp;namedcmd= <a href="buglist.cgi?cmdtype=dorem&amp;remaction=forget&amp;namedcmd=
[%- name FILTER url_quote %]">delete</a> it if you really want to use [%- name FILTER url_quote %]&amp;token=
this name. [% issue_hash_token([query_id, name]) FILTER url_quote %]">delete</a>
it if you really want to use this name.
[% ELSIF error == "query_name_missing" %] [% ELSIF error == "query_name_missing" %]
[% title = "No Search Name Specified" %] [% title = "No Search Name Specified" %]
......
template/en/default/list/list.html.tmpl
View file @ 44341577
...@@ -228,8 +228,9 @@ ...@@ -228,8 +228,9 @@
<td valign="middle" nowrap="nowrap" class="bz_query_forget"> <td valign="middle" nowrap="nowrap" class="bz_query_forget">
| |
<a href="buglist.cgi?cmdtype=dorem&amp;remaction=forget&amp;namedcmd= <a href="buglist.cgi?cmdtype=dorem&amp;remaction=forget&amp;namedcmd=
[% searchname FILTER url_quote %]">Forget&nbsp;Search&nbsp;' [% searchname FILTER url_quote %]&amp;token=
[% searchname FILTER html %]'</a> [% issue_hash_token([search_id, searchname]) FILTER url_quote %]">
Forget&nbsp;Search&nbsp;'[% searchname FILTER html %]'</a>
</td> </td>
[% ELSE %] [% ELSE %]
<td>&nbsp;</td> <td>&nbsp;</td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment