summaryrefslogtreecommitdiffstats
path: root/Bugzilla/Auth
diff options
context:
space:
mode:
authorwurblzap%gmail.com <>2006-10-21 03:52:24 +0200
committerwurblzap%gmail.com <>2006-10-21 03:52:24 +0200
commitea2d2a47281ac947297587c2619df190bf3c23c4 (patch)
tree61367f4bdb2fa5d419a0aedd29e675b5801c3d83 /Bugzilla/Auth
parentc2f38f17cfa3aad8a13ee6eb02944b52d9e79037 (diff)
downloadbugzilla-ea2d2a47281ac947297587c2619df190bf3c23c4.tar.gz
bugzilla-ea2d2a47281ac947297587c2619df190bf3c23c4.tar.xz
Bug 340538: Insecure dependency in exec while running with -T switch at /usr/lib/perl5/site_perl/5.8.6/Mail/Mailer/sendmail.pm line 16.
Patch by Marc Schumann <wurblzap@gmail.com>, r=LpSolit, a=myk
Diffstat (limited to 'Bugzilla/Auth')
-rw-r--r--Bugzilla/Auth/Verify.pm8
1 files changed, 5 insertions, 3 deletions
diff --git a/Bugzilla/Auth/Verify.pm b/Bugzilla/Auth/Verify.pm
index 52cebb5ea..deb5f4e95 100644
--- a/Bugzilla/Auth/Verify.pm
+++ b/Bugzilla/Auth/Verify.pm
@@ -77,6 +77,11 @@ sub create_or_update_user {
|| return { failure => AUTH_ERROR,
error => 'auth_invalid_email',
details => {addr => $username} };
+ # Usually we'd call validate_password, but external authentication
+ # systems might follow different standards than ours. So in this
+ # place here, we call trick_taint without checks.
+ trick_taint($password);
+
# XXX Theoretically this could fail with an error, but the fix for
# that is too involved to be done right now.
my $user = Bugzilla::User->create({
@@ -111,9 +116,6 @@ sub create_or_update_user {
validate_email_syntax($username)
|| return { failure => AUTH_ERROR, error => 'auth_invalid_email',
details => {addr => $username} };
- # Username is more than likely tainted, but we only use it in a
- # placeholder, and we've already validated it, so it's safe.
- trick_taint($username);
$dbh->do('UPDATE profiles SET login_name = ? WHERE userid = ?',
undef, $username, $user->id);
}