summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorReed Loden <reed@reedloden.com>2011-12-13 23:26:45 +0100
committerReed Loden <reed@reedloden.com>2011-12-13 23:26:45 +0100
commitcc86e1bc247787a6dd28f4604b93e08415ecd4fb (patch)
tree7608f271062b3bb1d6696983e46031b8ad2a1d18
parent49445ac5eb1b8f0b44f29942e2ea1e941dff4807 (diff)
downloadbugzilla-cc86e1bc247787a6dd28f4604b93e08415ecd4fb.tar.gz
bugzilla-cc86e1bc247787a6dd28f4604b93e08415ecd4fb.tar.xz
Bug 705474 - CSRF vulnerability in createaccount.cgi allows possible unauthorized account creation e-mail request
[r=mkanat a=mkanat]
-rw-r--r--Bugzilla/Token.pm9
-rwxr-xr-xcreateaccount.cgi5
-rw-r--r--template/en/default/account/create.html.tmpl1
3 files changed, 13 insertions, 2 deletions
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 36b3b070f..a85dcc1f4 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -176,9 +176,14 @@ sub issue_hash_token {
$data ||= [];
$time ||= time();
+ # For the user ID, use the actual ID if the user is logged in.
+ # Otherwise, use the remote IP, in case this is for something
+ # such as creating an account or logging in.
+ my $user_id = Bugzilla->user->id || remote_ip();
+
# The concatenated string is of the form
- # token creation time + site-wide secret + user ID + data
- my @args = ($time, Bugzilla->localconfig->{'site_wide_secret'}, Bugzilla->user->id, @$data);
+ # token creation time + site-wide secret + user ID (either ID or remote IP) + data
+ my @args = ($time, Bugzilla->localconfig->{'site_wide_secret'}, $user_id, @$data);
my $token = join('*', @args);
# Wide characters cause md5_hex() to die.
diff --git a/createaccount.cgi b/createaccount.cgi
index d0437a021..90530b3c5 100755
--- a/createaccount.cgi
+++ b/createaccount.cgi
@@ -62,6 +62,11 @@ unless ($createexp) {
my $login = $cgi->param('login');
if (defined($login)) {
+ # Check the hash token to make sure this user actually submitted
+ # the create account form.
+ my $token = $cgi->param('token');
+ check_hash_token($token, ['create_account']);
+
$login = Bugzilla::User->check_login_name_for_creation($login);
$vars->{'login'} = $login;
diff --git a/template/en/default/account/create.html.tmpl b/template/en/default/account/create.html.tmpl
index bf273e459..a2a2e9fc6 100644
--- a/template/en/default/account/create.html.tmpl
+++ b/template/en/default/account/create.html.tmpl
@@ -71,6 +71,7 @@
</tr>
</table>
<br>
+ <input type="hidden" id="token" name="token" value="[% issue_hash_token(['create_account']) FILTER html %]">
<input type="submit" id="send" value="Send">
</form>