diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2011-12-28 23:11:44 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2011-12-28 23:11:44 +0100 |
| commit | 2d792a108434d9ea59ebf75ae09fb69cbab6fb71 (patch) | |
| tree | 3da27d1b0158d793d42cf87bb3fd479de558b525 /Bugzilla/User.pm | |
| parent | f8813fc6a94b4e8e6d5e77009458ed8cb5a856c7 (diff) | |
| download | bugzilla-2d792a108434d9ea59ebf75ae09fb69cbab6fb71.tar.gz bugzilla-2d792a108434d9ea59ebf75ae09fb69cbab6fb71.tar.xz | |
Bug 711714: (CVE-2011-3667) [SECURITY] The User.offer_account_by_email WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account
r=glob a=LpSolit
Diffstat (limited to 'Bugzilla/User.pm')
| -rw-r--r-- | Bugzilla/User.pm | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index ccb73cb66..5f430833b 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -1965,6 +1965,32 @@ sub is_available_username { return 1; } +sub check_account_creation_enabled { + my $self = shift; + + # If we're using e.g. LDAP for login, then we can't create a new account. + $self->authorizer->user_can_create_account + || ThrowUserError('auth_cant_create_account'); + + Bugzilla->params->{'createemailregexp'} + || ThrowUserError('account_creation_disabled'); +} + +sub check_and_send_account_creation_confirmation { + my ($self, $login) = @_; + + $login = $self->check_login_name_for_creation($login); + my $creation_regexp = Bugzilla->params->{'createemailregexp'}; + + if ($login !~ /$creation_regexp/i) { + ThrowUserError('account_creation_restricted'); + } + + # Create and send a token for this new account. + require Bugzilla::Token; + Bugzilla::Token::issue_new_user_account_token($login); +} + # This is used in a few performance-critical areas where we don't want to # do check() and pull all the user data from the database. sub login_to_id { @@ -2516,6 +2542,17 @@ Params: login_name - B<Required> The login name for the new user. Takes a username as its only argument. Throws an error if there is no user with that username. Returns a C<Bugzilla::User> object. +=item C<check_account_creation_enabled> + +Checks that users can create new user accounts, and throws an error +if user creation is disabled. + +=item C<check_and_send_account_creation_confirmation($login)> + +If the user request for a new account passes validation checks, an email +is sent to this user for confirmation. Otherwise an error is thrown +indicating why the request has been rejected. + =item C<is_available_username> Returns a boolean indicating whether or not the supplied username is |