summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormkanat%bugzilla.org <>2007-09-19 06:28:30 +0200
committermkanat%bugzilla.org <>2007-09-19 06:28:30 +0200
commit052c5ebc181807287a6c9d972dbed7405cd00ef2 (patch)
treea7944233ad7765607e89a9273f7f2371d68d5f93
parent4b96e2efc66eb75b58f5da5ae5a48de0d712b68e (diff)
downloadbugzilla-052c5ebc181807287a6c9d972dbed7405cd00ef2.tar.gz
bugzilla-052c5ebc181807287a6c9d972dbed7405cd00ef2.tar.xz
Bug 395632: [SECURITY] XML-RPC WebService Bugzilla::User::offer_account_by_email does not check createemailregexp
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, r=Wurblzap, a=mkanat
-rwxr-xr-xBugzilla/WebService/Constants.pm2
-rwxr-xr-xBugzilla/WebService/User.pm8
2 files changed, 10 insertions, 0 deletions
diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 43e4c1c8e..139ec1b7b 100755
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -83,6 +83,8 @@ use constant WS_ERROR_CODE => {
# User errors are 500-600.
account_exists => 500,
illegal_email_address => 501,
+ account_creation_disabled => 501,
+ account_creation_restricted => 501,
password_too_short => 502,
password_too_long => 503,
invalid_username => 504,
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index db02ff75a..f839e2a9d 100755
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -74,6 +74,14 @@ sub offer_account_by_email {
my $email = trim($params->{email})
|| ThrowCodeError('param_required', { param => 'email' });
+ my $createexp = Bugzilla->params->{'createemailregexp'};
+ if (!$createexp) {
+ ThrowUserError("account_creation_disabled");
+ }
+ elsif ($email !~ /$createexp/) {
+ ThrowUserError("account_creation_restricted");
+ }
+
$email = Bugzilla::User->check_login_name_for_creation($email);
# Create and send a token for this new account.