diff options
| author | Dave Lawrence <dlawrence@mozilla.com> | 2013-10-16 18:09:05 +0200 |
|---|---|---|
| committer | Dave Lawrence <dlawrence@mozilla.com> | 2013-10-16 18:09:05 +0200 |
| commit | 024a376986e7c178d82778bb21aaad2aef0b540f (patch) | |
| tree | 347237e8626bdb45aedab1c6c26cc15ffceb8fcf /Bugzilla | |
| parent | 19bfba90232bfc10adef745efe3ade50e7f3b3e4 (diff) | |
| download | bugzilla-024a376986e7c178d82778bb21aaad2aef0b540f.tar.gz bugzilla-024a376986e7c178d82778bb21aaad2aef0b540f.tar.xz | |
Bug 906745 - In MySQL, tokens are not case-sensitive, reducing total entropy and allowing easier brute force
r=LpSolit,a=glob
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/Token.pm | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm index d4224e33b..9ebf9c652 100644 --- a/Bugzilla/Token.pm +++ b/Bugzilla/Token.pm @@ -255,13 +255,18 @@ sub Cancel { # Get information about the token being canceled. trick_taint($token); - my ($issuedate, $tokentype, $eventdata, $userid) = - $dbh->selectrow_array('SELECT ' . $dbh->sql_date_format('issuedate') . ', + my ($db_token, $issuedate, $tokentype, $eventdata, $userid) = + $dbh->selectrow_array('SELECT token, ' . $dbh->sql_date_format('issuedate') . ', tokentype, eventdata, userid FROM tokens WHERE token = ?', undef, $token); + # Some DBs such as MySQL are case-insensitive by default so we do + # a quick comparison to make sure the tokens are indeed the same. + (defined $db_token && $db_token eq $token) + || ThrowCodeError("cancel_token_does_not_exist"); + # If we are canceling the creation of a new user account, then there # is no entry in the 'profiles' table. my $user = new Bugzilla::User($userid); @@ -326,10 +331,17 @@ sub GetTokenData { $token = clean_text($token); trick_taint($token); - return $dbh->selectrow_array( - "SELECT userid, " . $dbh->sql_date_format('issuedate') . ", eventdata, tokentype - FROM tokens + my @token_data = $dbh->selectrow_array( + "SELECT token, userid, " . $dbh->sql_date_format('issuedate') . ", eventdata, tokentype + FROM tokens WHERE token = ?", undef, $token); + + # Some DBs such as MySQL are case-insensitive by default so we do + # a quick comparison to make sure the tokens are indeed the same. + my $db_token = shift @token_data; + return undef if (!defined $db_token || $db_token ne $token); + + return @token_data; } # Deletes specified token |