Skip to content

bugzilla
bugzilla
Commit f53fede6 authored by Reed Loden's avatar Reed Loden
Browse files
Options

Bug 767623 - Use HMAC to generate tokens and sensitive graph filenames

[r=LpSolit a=LpSolit]
parent 4e1e44ea
Hide whitespace changes
Inline Side-by-side
Showing with 12 additions and 16 deletions
Bugzilla/Token.pm
View file @ f53fede6
...@@ -24,7 +24,7 @@ use Bugzilla::User; ...@@ -24,7 +24,7 @@ use Bugzilla::User;
use Date::Format; use Date::Format;
use Date::Parse; use Date::Parse;
use File::Basename; use File::Basename;
use Digest::MD5 qw(md5_hex); use Digest::SHA qw(hmac_sha256_base64);
use base qw(Exporter); use base qw(Exporter);
...@@ -167,15 +167,13 @@ sub issue_hash_token { ...@@ -167,15 +167,13 @@ sub issue_hash_token {
my $user_id = Bugzilla->user->id || remote_ip(); my $user_id = Bugzilla->user->id || remote_ip();
# The concatenated string is of the form # The concatenated string is of the form
# token creation time + site-wide secret + user ID (either ID or remote IP) + data # token creation time + user ID (either ID or remote IP) + data
my @args = ($time, Bugzilla->localconfig->{'site_wide_secret'}, $user_id, @$data); my @args = ($time, $user_id, @$data);
my $token = join('*', @args); my $token = join('*', @args);
# Wide characters cause md5_hex() to die. $token = hmac_sha256_base64($token, Bugzilla->localconfig->{'site_wide_secret'});
if (Bugzilla->params->{'utf8'}) { $token =~ s/\+/-/g;
utf8::encode($token) if utf8::is_utf8($token); $token =~ s/\//_/g;
}
$token = md5_hex($token);
# Prepend the token creation time, unencrypted, so that the token # Prepend the token creation time, unencrypted, so that the token
# lifetime can be validated. # lifetime can be validated.
......
reports.cgi
View file @ f53fede6
...@@ -17,7 +17,7 @@ use Bugzilla::Error; ...@@ -17,7 +17,7 @@ use Bugzilla::Error;
use Bugzilla::Status; use Bugzilla::Status;
use File::Basename; use File::Basename;
use Digest::MD5 qw(md5_hex); use Digest::SHA qw(hmac_sha256_base64);
# If we're using bug groups for products, we should apply those restrictions # If we're using bug groups for products, we should apply those restrictions
# to viewing reports, as well. Time to check the login in that case. # to viewing reports, as well. Time to check the login in that case.
...@@ -88,14 +88,12 @@ else { ...@@ -88,14 +88,12 @@ else {
# Filenames must not be guessable as they can point to products # Filenames must not be guessable as they can point to products
# you are not allowed to see. Also, different projects can have # you are not allowed to see. Also, different projects can have
# the same product names. # the same product names.
my $key = Bugzilla->localconfig->{'site_wide_secret'};
my $project = bz_locations()->{'project'} || ''; my $project = bz_locations()->{'project'} || '';
my $image_file = join(':', ($key, $project, $prod_id, @datasets)); my $image_file = join(':', ($project, $prod_id, @datasets));
# Wide characters cause md5_hex() to die. my $key = Bugzilla->localconfig->{'site_wide_secret'};
if (Bugzilla->params->{'utf8'}) { $image_file = hmac_sha256_base64($image_file, $key) . '.png';
utf8::encode($image_file) if utf8::is_utf8($image_file); $image_file =~ s/\+/-/g;
} $image_file =~ s/\//_/g;
$image_file = md5_hex($image_file) . '.png';
trick_taint($image_file); trick_taint($image_file);
if (! -e "$graph_dir/$image_file") { if (! -e "$graph_dir/$image_file") {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment