summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2011-12-28 23:15:49 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2011-12-28 23:15:49 +0100
commitd95d2ff05f816c4023fdaa6db14819f86d3044bf (patch)
tree3bea800fbb0c26515eb576778d2f2875e61b8d77
parent6f323ff54643622bcd31f6b7577ab1a23d16f590 (diff)
downloadbugzilla-d95d2ff05f816c4023fdaa6db14819f86d3044bf.tar.gz
bugzilla-d95d2ff05f816c4023fdaa6db14819f86d3044bf.tar.xz
Bug 711714: (CVE-2011-3667) [SECURITY] The User.offer_account_by_email WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account
r=dkl a=LpSolit
-rw-r--r--Bugzilla/User.pm37
-rw-r--r--Bugzilla/WebService/Constants.pm1
-rw-r--r--Bugzilla/WebService/User.pm26
-rwxr-xr-xcreateaccount.cgi31
-rwxr-xr-xtoken.cgi2
5 files changed, 51 insertions, 46 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 8455e64c1..008322b17 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -1983,6 +1983,32 @@ sub is_available_username {
return 1;
}
+sub check_account_creation_enabled {
+ my $self = shift;
+
+ # If we're using e.g. LDAP for login, then we can't create a new account.
+ $self->authorizer->user_can_create_account
+ || ThrowUserError('auth_cant_create_account');
+
+ Bugzilla->params->{'createemailregexp'}
+ || ThrowUserError('account_creation_disabled');
+}
+
+sub check_and_send_account_creation_confirmation {
+ my ($self, $login) = @_;
+
+ $login = $self->check_login_name_for_creation($login);
+ my $creation_regexp = Bugzilla->params->{'createemailregexp'};
+
+ if ($login !~ /$creation_regexp/i) {
+ ThrowUserError('account_creation_restricted');
+ }
+
+ # Create and send a token for this new account.
+ require Bugzilla::Token;
+ Bugzilla::Token::issue_new_user_account_token($login);
+}
+
# This is used in a few performance-critical areas where we don't want to
# do check() and pull all the user data from the database.
sub login_to_id {
@@ -2539,6 +2565,17 @@ Params: login_name - B<Required> The login name for the new user.
Takes a username as its only argument. Throws an error if there is no
user with that username. Returns a C<Bugzilla::User> object.
+=item C<check_account_creation_enabled>
+
+Checks that users can create new user accounts, and throws an error
+if user creation is disabled.
+
+=item C<check_and_send_account_creation_confirmation($login)>
+
+If the user request for a new account passes validation checks, an email
+is sent to this user for confirmation. Otherwise an error is thrown
+indicating why the request has been rejected.
+
=item C<is_available_username>
Returns a boolean indicating whether or not the supplied username is
diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 123b14d68..ab3111eed 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -130,6 +130,7 @@ use constant WS_ERROR_CODE => {
# User errors are 500-600.
account_exists => 500,
illegal_email_address => 501,
+ auth_cant_create_account => 501,
account_creation_disabled => 501,
account_creation_restricted => 501,
password_too_short => 502,
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index 2d9276cc3..f8704a947 100644
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -28,7 +28,6 @@ use Bugzilla::Error;
use Bugzilla::Group;
use Bugzilla::User;
use Bugzilla::Util qw(trim);
-use Bugzilla::Token;
use Bugzilla::WebService::Util qw(filter validate);
# Don't need auth to login
@@ -91,19 +90,8 @@ sub offer_account_by_email {
my $email = trim($params->{email})
|| ThrowCodeError('param_required', { param => 'email' });
- my $createexp = Bugzilla->params->{'createemailregexp'};
- if (!$createexp) {
- ThrowUserError("account_creation_disabled");
- }
- elsif ($email !~ /$createexp/i) {
- ThrowUserError("account_creation_restricted");
- }
-
- $email = Bugzilla::User->check_login_name_for_creation($email);
-
- # Create and send a token for this new account.
- Bugzilla::Token::issue_new_user_account_token($email);
-
+ Bugzilla->user->check_account_creation_enabled;
+ Bugzilla->user->check_and_send_account_creation_confirmation($email);
return undef;
}
@@ -396,14 +384,14 @@ This is the recommended way to create a Bugzilla account.
=over
-=item 500 (Illegal Email Address)
+=item 500 (Account Already Exists)
-This Bugzilla does not allow you to create accounts with the format of
-email address you specified. Account creation may be entirely disabled.
+An account with that email address already exists in Bugzilla.
-=item 501 (Account Already Exists)
+=item 501 (Illegal Email Address)
-An account with that email address already exists in Bugzilla.
+This Bugzilla does not allow you to create accounts with the format of
+email address you specified. Account creation may be entirely disabled.
=back
diff --git a/createaccount.cgi b/createaccount.cgi
index 98c5c8318..acc63e891 100755
--- a/createaccount.cgi
+++ b/createaccount.cgi
@@ -31,35 +31,19 @@ use lib qw(. lib);
use Bugzilla;
use Bugzilla::Constants;
use Bugzilla::Error;
-use Bugzilla::User;
-use Bugzilla::BugMail;
-use Bugzilla::Util;
use Bugzilla::Token;
# Just in case someone already has an account, let them get the correct footer
# on an error message. The user is logged out just after the account is
# actually created.
-Bugzilla->login(LOGIN_OPTIONAL);
-
-my $dbh = Bugzilla->dbh;
+my $user = Bugzilla->login(LOGIN_OPTIONAL);
my $cgi = Bugzilla->cgi;
my $template = Bugzilla->template;
-my $vars = {};
-
-$vars->{'doc_section'} = 'myaccount.html';
+my $vars = { doc_section => 'myaccount.html' };
print $cgi->header();
-# If we're using LDAP for login, then we can't create a new account here.
-unless (Bugzilla->user->authorizer->user_can_create_account) {
- ThrowUserError("auth_cant_create_account");
-}
-
-my $createexp = Bugzilla->params->{'createemailregexp'};
-unless ($createexp) {
- ThrowUserError("account_creation_disabled");
-}
-
+$user->check_account_creation_enabled;
my $login = $cgi->param('login');
if (defined($login)) {
@@ -68,16 +52,9 @@ if (defined($login)) {
my $token = $cgi->param('token');
check_hash_token($token, ['create_account']);
- $login = Bugzilla::User->check_login_name_for_creation($login);
+ $user->check_and_send_account_creation_confirmation($login);
$vars->{'login'} = $login;
- if ($login !~ /$createexp/i) {
- ThrowUserError("account_creation_restricted");
- }
-
- # Create and send a token for this new account.
- Bugzilla::Token::issue_new_user_account_token($login);
-
$template->process("account/created.html.tmpl", $vars)
|| ThrowTemplateError($template->error());
exit;
diff --git a/token.cgi b/token.cgi
index 3522834aa..fa262e76a 100755
--- a/token.cgi
+++ b/token.cgi
@@ -352,6 +352,7 @@ sub cancelChangeEmail {
sub request_create_account {
my $token = shift;
+ Bugzilla->user->check_account_creation_enabled;
my (undef, $date, $login_name) = Bugzilla::Token::GetTokenData($token);
$vars->{'token'} = $token;
$vars->{'email'} = $login_name . Bugzilla->params->{'emailsuffix'};
@@ -365,6 +366,7 @@ sub request_create_account {
sub confirm_create_account {
my $token = shift;
+ Bugzilla->user->check_account_creation_enabled;
my (undef, undef, $login_name) = Bugzilla::Token::GetTokenData($token);
my $password = $cgi->param('passwd1') || '';