diff options
| author | lpsolit%gmail.com <> | 2008-05-05 06:55:06 +0200 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2008-05-05 06:55:06 +0200 |
| commit | fd87911bb05e072c61628bd313579d06e95f2525 (patch) | |
| tree | 6f9bcb5c8062866be3cdc01075c88e95a60fa57c | |
| parent | 6d7d31d0eeec2b1a03a34fee709c7efabd4faab8 (diff) | |
| download | bugzilla-fd87911bb05e072c61628bd313579d06e95f2525.tar.gz bugzilla-fd87911bb05e072c61628bd313579d06e95f2525.tar.xz | |
Bug 419188: [SECURITY] email_in.pl lets you set the changer as @reporter instead of only checking the "From" header - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
| -rw-r--r-- | email_in.pl | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/email_in.pl b/email_in.pl index 864bdee7f..81637ebc4 100644 --- a/email_in.pl +++ b/email_in.pl @@ -106,6 +106,16 @@ sub parse_mail { if ($line =~ /^@(\S+)\s*=\s*(.*)\s*/) { $current_field = lc($1); + # It's illegal to pass the reporter field as you could + # override the "From:" field of the message and bypass + # authentication checks, such as PGP. + if ($current_field eq 'reporter') { + # We reset the $current_field variable to something + # post_bug and process_bug will ignore, in case the + # attacker splits the reporter field on several lines. + $current_field = 'illegal_field'; + next; + } $fields{$current_field} = $2; } else { |