Details
-
Bug
-
Resolution: Fixed
-
Low
-
3.0.1
Description
The project avatar resource accepts content type of MULTIPART_FORM_DATA so a malicious attacker could use javascript to submit a form from a foreign host to a stash server and trick the user into changing the project avatar in Stash.
cc David Black [Atlassian] - is there any reason why panopticon found the issue with the
UserResource however not with the ProjectResource ?
com.atlassian.stash.internal.rest.project.ProjectResource
POST rest/api/1.0/projects/{PROJECT_SLUG}/avatar.png
@POST
@Consumes(MediaType.MULTIPART_FORM_DATA)
@MultipartConfigClass(AvatarMultipartConfig.class)
@Path(AVATAR_PATH)
public Response uploadAvatar(@Context Project project, @Context UriInfo uriInfo,
@MultipartFormParam("avatar") final FilePart file) {
projectService.updateAvatar(project.getId(), new FilePartAvatarSupplier(file));
Documentation must also be altered to tell users about the new requirement to set the X-Atlassian-Token header value to "no-check"
Attachments
Issue Links
- mentioned in
-
Page Loading...