Project avatar resource vulnerable to XSRF

Type atlassian
Reporter npellow
Modified 2015-10-20T13:34:56


The project avatar resource accepts content type of MULTIPART_FORM_DATA so a malicious attacker could use javascript to submit a form from a foreign host to a stash server and trick the user into changing the project avatar in Stash.

cc David Black [Atlassian] - is there any reason why panopticon found the issue with the UserResource however not with the ProjectResource ?

POST rest/api/1.0/projects/{PROJECT_SLUG}/avatar.png

{code} @POST @Consumes(MediaType.MULTIPART_FORM_DATA) @MultipartConfigClass(AvatarMultipartConfig.class) @Path(AVATAR_PATH) public Response uploadAvatar(@Context Project project, @Context UriInfo uriInfo, @MultipartFormParam("avatar") final FilePart file) { projectService.updateAvatar(project.getId(), new FilePartAvatarSupplier(file)); {code}

Documentation must also be altered to tell users about the new requirement to set the X-Atlassian-Token header value to "no-check"