Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-5335

User avatar upload endpoint is vulnerable to XSRF

    XMLWordPrintable

Details

    Description

      Stash, as 2.12, will allows users to upload local avatars to their account (STASHDEV-6182).

      That upload is submitted to a (non-API) end point that accepts a POST request with the avatar as data-uri.

      Currently, because the form is submitted by AJAX, the end point is annotated with @IgnoresXsrf, as the front-end doesn't have a security token to submit along with the request. See UserProfileController.uploadAvatar for the source.

      The two alternatives to fix this (and remove the annotation) are:

      • submit the data as JSON instead of form-urlencoded,
      • get hold of a security token/value in the page and submit it as part of the AJAX request.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. BSERV-5336 TemporaryAvatarController.save is vulnerable to CSRF/XSRF

          • Low - Low priority issues
          • Closed
          mentioned in

          Page Loading...

          Page Loading...

          Activity

            People

              mszczepanski Marcin
              pepoirot Pierre-Etienne Poirot (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: