Bug 728639: (CVE-2012-0465) [SECURITY] User lockout policy can be bypassed by altering the X-FORWARDED-FOR header

r=glob a=LpSolit

2 files changed, 12 insertions, 2 deletions

diff --git a/Bugzilla/Config/Advanced.pm b/Bugzilla/Config/Advanced.pm
index 7bf4a72f5..fa5b7d249 100644
--- a/Bugzilla/Config/Advanced.pm
+++ b/Bugzilla/Config/Advanced.pm
@@ -22,7 +22,8 @@ use constant get_param_list => (
   {
    name => 'inbound_proxies',
    type => 't',
-   default => ''
+   default => '',
+   checker => \&check_ip
   },
 
   {
diff --git a/Bugzilla/Config/Common.pm b/Bugzilla/Config/Common.pm
index 6433e55ce..0e3551d13 100644
--- a/Bugzilla/Config/Common.pm
+++ b/Bugzilla/Config/Common.pm
@@ -23,7 +23,7 @@ use base qw(Exporter);
     qw(check_multi check_numeric check_regexp check_url check_group
        check_sslbase check_priority check_severity check_platform
        check_opsys check_shadowdb check_urlbase check_webdotbase
-       check_user_verify_class
+       check_user_verify_class check_ip
        check_mail_delivery_method check_notification check_utf8
        check_bug_status check_smtp_auth check_theschwartz_available
        check_maxattachmentsize check_email check_smtp_ssl
@@ -104,6 +104,15 @@ sub check_sslbase {
     return "";
 }
 
+sub check_ip {
+    my $inbound_proxies = shift;
+    my @proxies = split(/[\s,]+/, $inbound_proxies);
+    foreach my $proxy (@proxies) {
+        validate_ip($proxy) || return "$proxy is not a valid IPv4 or IPv6 address";
+    }
+    return "";
+}
+
 sub check_utf8 {
     my $utf8 = shift;
     # You cannot turn off the UTF-8 parameter if you've already converted