summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2008-05-05 06:55:06 +0200
committerlpsolit%gmail.com <>2008-05-05 06:55:06 +0200
commitfd87911bb05e072c61628bd313579d06e95f2525 (patch)
tree6f9bcb5c8062866be3cdc01075c88e95a60fa57c
parent6d7d31d0eeec2b1a03a34fee709c7efabd4faab8 (diff)
downloadbugzilla-fd87911bb05e072c61628bd313579d06e95f2525.tar.gz
bugzilla-fd87911bb05e072c61628bd313579d06e95f2525.tar.xz
Bug 419188: [SECURITY] email_in.pl lets you set the changer as @reporter instead of only checking the "From" header - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
-rw-r--r--email_in.pl10
1 files changed, 10 insertions, 0 deletions
diff --git a/email_in.pl b/email_in.pl
index 864bdee7f..81637ebc4 100644
--- a/email_in.pl
+++ b/email_in.pl
@@ -106,6 +106,16 @@ sub parse_mail {
if ($line =~ /^@(\S+)\s*=\s*(.*)\s*/) {
$current_field = lc($1);
+ # It's illegal to pass the reporter field as you could
+ # override the "From:" field of the message and bypass
+ # authentication checks, such as PGP.
+ if ($current_field eq 'reporter') {
+ # We reset the $current_field variable to something
+ # post_bug and process_bug will ignore, in case the
+ # attacker splits the reporter field on several lines.
+ $current_field = 'illegal_field';
+ next;
+ }
$fields{$current_field} = $2;
}
else {