diff options
author | Byron Jones <bjones@mozilla.com> | 2013-11-07 09:49:38 +0100 |
---|---|---|
committer | Byron Jones <bjones@mozilla.com> | 2013-11-07 09:49:38 +0100 |
commit | a81cbfc4e9b3e5b5462bc50618791cd45c9882ef (patch) | |
tree | 7576109f95dd645d33319716305e5fea716494f2 | |
parent | 4a3a96c3596a5510286034570489f21540a6f23c (diff) | |
download | bugzilla-a81cbfc4e9b3e5b5462bc50618791cd45c9882ef.tar.gz bugzilla-a81cbfc4e9b3e5b5462bc50618791cd45c9882ef.tar.xz |
Bug 935570: add ProjectHoneyPot protection
-rw-r--r-- | Bugzilla/User.pm | 3 | ||||
-rw-r--r-- | extensions/ProjectHoneyPot/Config.pm | 15 | ||||
-rw-r--r-- | extensions/ProjectHoneyPot/Extension.pm | 63 | ||||
-rw-r--r-- | extensions/ProjectHoneyPot/template/en/default/hook/admin/params/editparams-current_panel.html.tmpl | 16 |
4 files changed, 97 insertions, 0 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 946fe8cb1..4e4489935 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -2074,6 +2074,9 @@ sub check_and_send_account_creation_confirmation { ThrowUserError('account_creation_restricted'); } + # BMO - add a hook to allow extra validation prior to account creation. + Bugzilla::Hook::process("user_verify_login", { login => $login }); + # Create and send a token for this new account. require Bugzilla::Token; Bugzilla::Token::issue_new_user_account_token($login); diff --git a/extensions/ProjectHoneyPot/Config.pm b/extensions/ProjectHoneyPot/Config.pm new file mode 100644 index 000000000..83d8d313e --- /dev/null +++ b/extensions/ProjectHoneyPot/Config.pm @@ -0,0 +1,15 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This Source Code Form is "Incompatible With Secondary Licenses", as +# defined by the Mozilla Public License, v. 2.0. + +package Bugzilla::Extension::ProjectHoneyPot; +use strict; + +use constant NAME => 'ProjectHoneyPot'; +use constant REQUIRED_MODULES => [ ]; +use constant OPTIONAL_MODULES => [ ]; + +__PACKAGE__->NAME; diff --git a/extensions/ProjectHoneyPot/Extension.pm b/extensions/ProjectHoneyPot/Extension.pm new file mode 100644 index 000000000..856fe7f1e --- /dev/null +++ b/extensions/ProjectHoneyPot/Extension.pm @@ -0,0 +1,63 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This Source Code Form is "Incompatible With Secondary Licenses", as +# defined by the Mozilla Public License, v. 2.0. + +package Bugzilla::Extension::ProjectHoneyPot; + +use strict; +use warnings; + +use base qw(Bugzilla::Extension); + +use Encode; +use Bugzilla::Error; +use Bugzilla::Util qw(remote_ip); +use Socket; +use Sys::Syslog qw(:DEFAULT setlogsock); + +our $VERSION = '1'; + +sub user_verify_login { + my ($self, $args) = @_; + return unless my $api_key = Bugzilla->params->{honeypot_api_key}; + my $ip = remote_ip(); + return unless $ip =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + my $lookup = "$api_key.$4.$3.$2.$1.dnsbl.httpbl.org"; + return unless my $packed = gethostbyname($lookup); + my $honeypot = inet_ntoa($packed); + return unless $honeypot =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + my ($status, $days, $threat, $type) = ($1, $2, $3, $4); + + return if $status != 127 + || $threat < Bugzilla->params->{honeypot_threat_threshold}; + + _syslog(sprintf("[audit] blocked <%s> from creating %s, honeypot %s", + $ip, $args->{login}, $honeypot)); + ThrowUserError('account_creation_restricted'); +} + +sub config_modify_panels { + my ($self, $args) = @_; + push @{ $args->{panels}->{auth}->{params} }, { + name => 'honeypot_api_key', + type => 't', + default => '', + }; + push @{ $args->{panels}->{auth}->{params} }, { + name => 'honeypot_threat_threshold', + type => 't', + default => '32', + }; +} + +sub _syslog { + my $message = shift; + openlog('apache', 'cons,pid', 'local4'); + syslog('notice', encode_utf8($message)); + closelog(); +} + +__PACKAGE__->NAME; diff --git a/extensions/ProjectHoneyPot/template/en/default/hook/admin/params/editparams-current_panel.html.tmpl b/extensions/ProjectHoneyPot/template/en/default/hook/admin/params/editparams-current_panel.html.tmpl new file mode 100644 index 000000000..e8e67eccb --- /dev/null +++ b/extensions/ProjectHoneyPot/template/en/default/hook/admin/params/editparams-current_panel.html.tmpl @@ -0,0 +1,16 @@ +[%# This Source Code Form is subject to the terms of the Mozilla Public + # License, v. 2.0. If a copy of the MPL was not distributed with this + # file, You can obtain one at http://mozilla.org/MPL/2.0/. + # + # This Source Code Form is "Incompatible With Secondary Licenses", as + # defined by the Mozilla Public License, v. 2.0. + #%] + +[% IF panel.name == "auth" %] + [% panel.param_descs.honeypot_api_key = + 'API Key for http://www.projecthoneypot.org' + %] + [% panel.param_descs.honeypot_threat_threshold = + 'Users will be unable to create accounts if their honeypot threat score is this value or higher.' + %] +[% END -%] |