summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorByron Jones <bjones@mozilla.com>2013-11-07 09:49:38 +0100
committerByron Jones <bjones@mozilla.com>2013-11-07 09:49:38 +0100
commita81cbfc4e9b3e5b5462bc50618791cd45c9882ef (patch)
tree7576109f95dd645d33319716305e5fea716494f2
parent4a3a96c3596a5510286034570489f21540a6f23c (diff)
downloadbugzilla-a81cbfc4e9b3e5b5462bc50618791cd45c9882ef.tar.gz
bugzilla-a81cbfc4e9b3e5b5462bc50618791cd45c9882ef.tar.xz
Bug 935570: add ProjectHoneyPot protection
-rw-r--r--Bugzilla/User.pm3
-rw-r--r--extensions/ProjectHoneyPot/Config.pm15
-rw-r--r--extensions/ProjectHoneyPot/Extension.pm63
-rw-r--r--extensions/ProjectHoneyPot/template/en/default/hook/admin/params/editparams-current_panel.html.tmpl16
4 files changed, 97 insertions, 0 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 946fe8cb1..4e4489935 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -2074,6 +2074,9 @@ sub check_and_send_account_creation_confirmation {
ThrowUserError('account_creation_restricted');
}
+ # BMO - add a hook to allow extra validation prior to account creation.
+ Bugzilla::Hook::process("user_verify_login", { login => $login });
+
# Create and send a token for this new account.
require Bugzilla::Token;
Bugzilla::Token::issue_new_user_account_token($login);
diff --git a/extensions/ProjectHoneyPot/Config.pm b/extensions/ProjectHoneyPot/Config.pm
new file mode 100644
index 000000000..83d8d313e
--- /dev/null
+++ b/extensions/ProjectHoneyPot/Config.pm
@@ -0,0 +1,15 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This Source Code Form is "Incompatible With Secondary Licenses", as
+# defined by the Mozilla Public License, v. 2.0.
+
+package Bugzilla::Extension::ProjectHoneyPot;
+use strict;
+
+use constant NAME => 'ProjectHoneyPot';
+use constant REQUIRED_MODULES => [ ];
+use constant OPTIONAL_MODULES => [ ];
+
+__PACKAGE__->NAME;
diff --git a/extensions/ProjectHoneyPot/Extension.pm b/extensions/ProjectHoneyPot/Extension.pm
new file mode 100644
index 000000000..856fe7f1e
--- /dev/null
+++ b/extensions/ProjectHoneyPot/Extension.pm
@@ -0,0 +1,63 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This Source Code Form is "Incompatible With Secondary Licenses", as
+# defined by the Mozilla Public License, v. 2.0.
+
+package Bugzilla::Extension::ProjectHoneyPot;
+
+use strict;
+use warnings;
+
+use base qw(Bugzilla::Extension);
+
+use Encode;
+use Bugzilla::Error;
+use Bugzilla::Util qw(remote_ip);
+use Socket;
+use Sys::Syslog qw(:DEFAULT setlogsock);
+
+our $VERSION = '1';
+
+sub user_verify_login {
+ my ($self, $args) = @_;
+ return unless my $api_key = Bugzilla->params->{honeypot_api_key};
+ my $ip = remote_ip();
+ return unless $ip =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+ my $lookup = "$api_key.$4.$3.$2.$1.dnsbl.httpbl.org";
+ return unless my $packed = gethostbyname($lookup);
+ my $honeypot = inet_ntoa($packed);
+ return unless $honeypot =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
+ my ($status, $days, $threat, $type) = ($1, $2, $3, $4);
+
+ return if $status != 127
+ || $threat < Bugzilla->params->{honeypot_threat_threshold};
+
+ _syslog(sprintf("[audit] blocked <%s> from creating %s, honeypot %s",
+ $ip, $args->{login}, $honeypot));
+ ThrowUserError('account_creation_restricted');
+}
+
+sub config_modify_panels {
+ my ($self, $args) = @_;
+ push @{ $args->{panels}->{auth}->{params} }, {
+ name => 'honeypot_api_key',
+ type => 't',
+ default => '',
+ };
+ push @{ $args->{panels}->{auth}->{params} }, {
+ name => 'honeypot_threat_threshold',
+ type => 't',
+ default => '32',
+ };
+}
+
+sub _syslog {
+ my $message = shift;
+ openlog('apache', 'cons,pid', 'local4');
+ syslog('notice', encode_utf8($message));
+ closelog();
+}
+
+__PACKAGE__->NAME;
diff --git a/extensions/ProjectHoneyPot/template/en/default/hook/admin/params/editparams-current_panel.html.tmpl b/extensions/ProjectHoneyPot/template/en/default/hook/admin/params/editparams-current_panel.html.tmpl
new file mode 100644
index 000000000..e8e67eccb
--- /dev/null
+++ b/extensions/ProjectHoneyPot/template/en/default/hook/admin/params/editparams-current_panel.html.tmpl
@@ -0,0 +1,16 @@
+[%# This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ #
+ # This Source Code Form is "Incompatible With Secondary Licenses", as
+ # defined by the Mozilla Public License, v. 2.0.
+ #%]
+
+[% IF panel.name == "auth" %]
+ [% panel.param_descs.honeypot_api_key =
+ 'API Key for http://www.projecthoneypot.org'
+ %]
+ [% panel.param_descs.honeypot_threat_threshold =
+ 'Users will be unable to create accounts if their honeypot threat score is this value or higher.'
+ %]
+[% END -%]