Open Bug 935655 Opened 11 years ago Updated 11 years ago

show_bug's XML mode includes a time zone in the delta_ts which breaks the CSRF token validation

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

People

(Reporter: ian, Unassigned)

Details

show.xml.tmpl says: [% ELSIF field == 'creation_ts' OR field == 'delta_ts' %] [% val = val FILTER time("%Y-%m-%d %T %z") %] edit.html.tmpl just says: <input type="hidden" name="delta_ts" value="[% bug.delta_ts %]"> This makes the delta_ts from the XML output different than the delta_ts used to compute the token on the server-side, and thus breaks CSRF token validation.
I doubt that's true. If you pass an old delta_ts, a midair collision will occur. If you pass no delta_ts, process_bug.cgi falls back to the current delta_ts, see bug 930013. So all you need to pass is the token given in the XML output.
This was changed in bug 487865to allow importing of bugs exported in XML format and does not work for using the values against process_bug.cgi in the case of delta_ts. We either need to 1) strip off the timezone in process_bug.cgi if present before checking the token 2) have the client drop the delta_ts value and just pass the token to process_bug.cgi or 3) not support updating bugs based on values from the XML dumps. FWIW the webservice API uses a different format that is converted when it is passed back using the api. dkl
You need to log in before you can comment on or make changes to this bug.