summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbbaetz%acm.org <>2009-06-10 08:18:16 +0200
committerbbaetz%acm.org <>2009-06-10 08:18:16 +0200
commitd825a0d15037b32b2c7bb7d195ef905691a2edcd (patch)
treebe6c4675f943df8ebf2b71d37269ec26173cb45d
parent1666c5a708511e4f508b4e08f07185ff6770bbf6 (diff)
downloadbugzilla-d825a0d15037b32b2c7bb7d195ef905691a2edcd.tar.gz
bugzilla-d825a0d15037b32b2c7bb7d195ef905691a2edcd.tar.xz
Bug 496856 - Fix token.cgi transaction handling
-rwxr-xr-xtoken.cgi14
1 files changed, 9 insertions, 5 deletions
diff --git a/token.cgi b/token.cgi
index 535380042..cd4c508aa 100755
--- a/token.cgi
+++ b/token.cgi
@@ -274,12 +274,13 @@ sub changeEmail {
$dbh->do('DELETE FROM tokens WHERE token = ?', undef, $token);
$dbh->do(q{DELETE FROM tokens WHERE userid = ?
AND tokentype = 'emailnew'}, undef, $userid);
- $dbh->bz_commit_transaction();
# The email address has been changed, so we need to rederive the groups
my $user = new Bugzilla::User($userid);
$user->derive_regexp_groups;
+ $dbh->bz_commit_transaction();
+
# Return HTTP response headers.
print $cgi->header();
@@ -295,6 +296,8 @@ sub cancelChangeEmail {
my $token = shift;
my $dbh = Bugzilla->dbh;
+ $dbh->bz_begin_transaction();
+
# Get the user's ID from the tokens table.
my ($userid, $tokentype, $eventdata) = $dbh->selectrow_array(
q{SELECT userid, tokentype, eventdata FROM tokens
@@ -310,16 +313,15 @@ sub cancelChangeEmail {
# check to see if it has been altered
if($actualemail ne $old_email) {
+ # XXX - This is NOT safe - if A has change to B, another profile
+ # could have grabbed A's username in the meantime.
+ # The DB constraint will catch this, though
$dbh->do(q{UPDATE profiles
SET login_name = ?
WHERE userid = ?},
undef, ($old_email, $userid));
# email has changed, so rederive groups
- # Note that this is done _after_ the tables are unlocked
- # This is sort of a race condition (given the lack of transactions)
- # but the user had access to it just now, so it's not a security
- # issue
my $user = new Bugzilla::User($userid);
$user->derive_regexp_groups;
@@ -339,6 +341,8 @@ sub cancelChangeEmail {
AND tokentype = 'emailold' OR tokentype = 'emailnew'},
undef, $userid);
+ $dbh->bz_commit_transaction();
+
# Return HTTP response headers.
print $cgi->header();