summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2011-12-28 23:15:49 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2011-12-28 23:15:49 +0100
commitd95d2ff05f816c4023fdaa6db14819f86d3044bf (patch)
tree3bea800fbb0c26515eb576778d2f2875e61b8d77 /Bugzilla
parent6f323ff54643622bcd31f6b7577ab1a23d16f590 (diff)
downloadbugzilla-d95d2ff05f816c4023fdaa6db14819f86d3044bf.tar.gz
bugzilla-d95d2ff05f816c4023fdaa6db14819f86d3044bf.tar.xz
Bug 711714: (CVE-2011-3667) [SECURITY] The User.offer_account_by_email WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account
r=dkl a=LpSolit
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/User.pm37
-rw-r--r--Bugzilla/WebService/Constants.pm1
-rw-r--r--Bugzilla/WebService/User.pm26
3 files changed, 45 insertions, 19 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 8455e64c1..008322b17 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -1983,6 +1983,32 @@ sub is_available_username {
return 1;
}
+sub check_account_creation_enabled {
+ my $self = shift;
+
+ # If we're using e.g. LDAP for login, then we can't create a new account.
+ $self->authorizer->user_can_create_account
+ || ThrowUserError('auth_cant_create_account');
+
+ Bugzilla->params->{'createemailregexp'}
+ || ThrowUserError('account_creation_disabled');
+}
+
+sub check_and_send_account_creation_confirmation {
+ my ($self, $login) = @_;
+
+ $login = $self->check_login_name_for_creation($login);
+ my $creation_regexp = Bugzilla->params->{'createemailregexp'};
+
+ if ($login !~ /$creation_regexp/i) {
+ ThrowUserError('account_creation_restricted');
+ }
+
+ # Create and send a token for this new account.
+ require Bugzilla::Token;
+ Bugzilla::Token::issue_new_user_account_token($login);
+}
+
# This is used in a few performance-critical areas where we don't want to
# do check() and pull all the user data from the database.
sub login_to_id {
@@ -2539,6 +2565,17 @@ Params: login_name - B<Required> The login name for the new user.
Takes a username as its only argument. Throws an error if there is no
user with that username. Returns a C<Bugzilla::User> object.
+=item C<check_account_creation_enabled>
+
+Checks that users can create new user accounts, and throws an error
+if user creation is disabled.
+
+=item C<check_and_send_account_creation_confirmation($login)>
+
+If the user request for a new account passes validation checks, an email
+is sent to this user for confirmation. Otherwise an error is thrown
+indicating why the request has been rejected.
+
=item C<is_available_username>
Returns a boolean indicating whether or not the supplied username is
diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 123b14d68..ab3111eed 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -130,6 +130,7 @@ use constant WS_ERROR_CODE => {
# User errors are 500-600.
account_exists => 500,
illegal_email_address => 501,
+ auth_cant_create_account => 501,
account_creation_disabled => 501,
account_creation_restricted => 501,
password_too_short => 502,
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index 2d9276cc3..f8704a947 100644
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -28,7 +28,6 @@ use Bugzilla::Error;
use Bugzilla::Group;
use Bugzilla::User;
use Bugzilla::Util qw(trim);
-use Bugzilla::Token;
use Bugzilla::WebService::Util qw(filter validate);
# Don't need auth to login
@@ -91,19 +90,8 @@ sub offer_account_by_email {
my $email = trim($params->{email})
|| ThrowCodeError('param_required', { param => 'email' });
- my $createexp = Bugzilla->params->{'createemailregexp'};
- if (!$createexp) {
- ThrowUserError("account_creation_disabled");
- }
- elsif ($email !~ /$createexp/i) {
- ThrowUserError("account_creation_restricted");
- }
-
- $email = Bugzilla::User->check_login_name_for_creation($email);
-
- # Create and send a token for this new account.
- Bugzilla::Token::issue_new_user_account_token($email);
-
+ Bugzilla->user->check_account_creation_enabled;
+ Bugzilla->user->check_and_send_account_creation_confirmation($email);
return undef;
}
@@ -396,14 +384,14 @@ This is the recommended way to create a Bugzilla account.
=over
-=item 500 (Illegal Email Address)
+=item 500 (Account Already Exists)
-This Bugzilla does not allow you to create accounts with the format of
-email address you specified. Account creation may be entirely disabled.
+An account with that email address already exists in Bugzilla.
-=item 501 (Account Already Exists)
+=item 501 (Illegal Email Address)
-An account with that email address already exists in Bugzilla.
+This Bugzilla does not allow you to create accounts with the format of
+email address you specified. Account creation may be entirely disabled.
=back