Closed Bug 927736 Opened 11 years ago Closed 11 years ago

"invalid token" error if someone else changes the CC list while viewing a bug

Categories

(Bugzilla :: Creating/Changing Bugs, defect)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.4

People

(Reporter: glob, Assigned: glob)

References

Details

(Keywords: regression)

Attachments

(1 file)

927736_1.patch
421 bytes, patch
LpSolit
: review+
Details | Diff | Splinter Review 
steps:

1. load the same bug in two browsers
2. on browser A, adjust the CC list and submit
3. on browser B, adjust another field and submit

expected:

submission on browser B works without error or mid-air warning.

actual:

"illegal token" error.



what's happening is the token provided in the post data is validated against the bug's current delta_ts, which was updated by browser A.  this wasn't a problem as all changes triggered a mid-air stop, however bug 69447 changed that.
Attached patch 927736_1.patchSplinter Review 
this makes us validate the token against the delta_ts at the time it was issued, rather than the current value.

note - delta_ts is provided by the POST data (as is the token we're validating), however as far as i can tell this is safe as we're hashing with the site_wide_secret.
Attachment #818255 - Flags: review?(dkl)
Flags: blocking4.4.1+
Target Milestone: --- → Bugzilla 4.4
Severity: normal → major
Status: NEW → ASSIGNED
Keywords: regression
In fact, nobody detected this bug before because the security bug hide this problem as process_bug.cgi was always recreating the token if a potential midair collision was possible. That's why 4.4 was working "fine".
Comment on attachment 818255 [details] [diff] [review]
927736_1.patch

If I intentionally omit delta_ts from the list of parameters to skip the midair collision page, the token check now triggers:

  process_bug.cgi: Use of uninitialized value $args[3] in join or string at Bugzilla/Token.pm line 170

That's because you are concatenating an undefined string. To fix the problem, make sure $delta_ts is always defined, see line 114:

  my $delta_ts = $cgi->param('delta_ts') || '';


r=LpSolit with this fix on checkin.
Attachment #818255 - Flags: review?(dkl) → review+
Flags: approval?
Flags: approval4.4?
Approvers are all away and this patch must be checked in asap so that we can re-tag bzr branches. Abusing my privileges... a=LpSolit
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval+
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified process_bug.cgi
Committed revision 8783.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.4/
modified process_bug.cgi
Committed revision 8629.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Blocks: 928331
Blocks: 930013
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: