summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2015-09-06 12:41:31 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2015-09-06 12:41:31 +0200
commit23807179790108fc2575d06df59dbaebf8ce0af8 (patch)
treeed9e1b383de7f72f1892c66552640240c431f5f2 /Bugzilla
parenta666b2a74f565a5ebb38f0ce0b400d04b1ea7ca4 (diff)
downloadbugzilla-23807179790108fc2575d06df59dbaebf8ce0af8.tar.gz
bugzilla-23807179790108fc2575d06df59dbaebf8ce0af8.tar.xz
Bug 1194987: Editing your email address and make it point to a non-existent email address makes Bugzilla stop working
r=gerv a=sgreen
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Auth/Verify.pm9
-rw-r--r--Bugzilla/Mailer.pm15
-rw-r--r--Bugzilla/Token.pm52
-rw-r--r--Bugzilla/User.pm5
4 files changed, 46 insertions, 35 deletions
diff --git a/Bugzilla/Auth/Verify.pm b/Bugzilla/Auth/Verify.pm
index e44fb06ae..9dc83273b 100644
--- a/Bugzilla/Auth/Verify.pm
+++ b/Bugzilla/Auth/Verify.pm
@@ -106,21 +106,24 @@ sub create_or_update_user {
my $user = new Bugzilla::User($user_id);
- # Now that we have a valid User, we need to see if any data has to be
- # updated.
+ # Now that we have a valid User, we need to see if any data has to be updated.
+ my $changed = 0;
+
if ($username && lc($user->login) ne lc($username)) {
validate_email_syntax($username)
|| return { failure => AUTH_ERROR, error => 'auth_invalid_email',
details => {addr => $username} };
$user->set_login($username);
+ $changed = 1;
}
if ($real_name && $user->name ne $real_name) {
# $real_name is more than likely tainted, but we only use it
# in a placeholder and we never use it after this.
trick_taint($real_name);
$user->set_name($real_name);
+ $changed = 1;
}
- $user->update();
+ $user->update() if $changed;
return { user => $user };
}
diff --git a/Bugzilla/Mailer.pm b/Bugzilla/Mailer.pm
index 593a1067a..20175db15 100644
--- a/Bugzilla/Mailer.pm
+++ b/Bugzilla/Mailer.pm
@@ -260,17 +260,14 @@ sub build_thread_marker {
sub send_staged_mail {
my $dbh = Bugzilla->dbh;
- my @ids;
- my $emails
- = $dbh->selectall_arrayref("SELECT id, message FROM mail_staging");
- foreach my $row (@$emails) {
- MessageToMTA($row->[1]);
- push(@ids, $row->[0]);
- }
+ my $emails = $dbh->selectall_arrayref('SELECT id, message FROM mail_staging');
+ my $sth = $dbh->prepare('DELETE FROM mail_staging WHERE id = ?');
- if (@ids) {
- $dbh->do("DELETE FROM mail_staging WHERE " . $dbh->sql_in('id', \@ids));
+ foreach my $email (@$emails) {
+ my ($id, $message) = @$email;
+ MessageToMTA($message);
+ $sth->execute($id);
}
}
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 67a201b53..be76be645 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -34,6 +34,8 @@ use parent qw(Exporter);
# 62 = 0-9, a-z, A-Z.
use constant TOKEN_LENGTH => 22;
+use constant SEND_NOW => 1;
+
################################################################################
# Public Functions
################################################################################
@@ -122,43 +124,49 @@ sub issue_new_user_account_token {
# who made the request, and so it is reasonable to send the email in the same
# language used to view the "Create a New Account" page (we cannot use their
# user prefs as the user has no account yet!).
- MessageToMTA($message);
+ MessageToMTA($message, SEND_NOW);
}
sub IssueEmailChangeToken {
- my ($user, $new_email) = @_;
- my $email_suffix = Bugzilla->params->{'emailsuffix'};
- my $old_email = $user->login;
-
- my ($token, $token_ts) = _create_token($user->id, 'emailold', $old_email . ":" . $new_email);
+ my $new_email = shift;
+ my $user = Bugzilla->user;
- my $newtoken = _create_token($user->id, 'emailnew', $old_email . ":" . $new_email);
+ my ($token, $token_ts) = _create_token($user->id, 'emailold', $user->login . ":$new_email");
+ my $newtoken = _create_token($user->id, 'emailnew', $user->login . ":$new_email");
# Mail the user the token along with instructions for using it.
my $template = Bugzilla->template_inner($user->setting('lang'));
my $vars = {};
- $vars->{'oldemailaddress'} = $old_email . $email_suffix;
- $vars->{'newemailaddress'} = $new_email . $email_suffix;
+ $vars->{'newemailaddress'} = $new_email . Bugzilla->params->{'emailsuffix'};
$vars->{'expiration_ts'} = ctime($token_ts + MAX_TOKEN_AGE * 86400);
- $vars->{'token'} = $token;
- $vars->{'emailaddress'} = $old_email . $email_suffix;
+
+ # First send an email to the new address. If this one doesn't exist,
+ # then the whole process must stop immediately. This means the email must
+ # be sent immediately and must not be stored in the queue.
+ $vars->{'token'} = $newtoken;
my $message;
- $template->process("account/email/change-old.txt.tmpl", $vars, \$message)
+ $template->process('account/email/change-new.txt.tmpl', $vars, \$message)
|| ThrowTemplateError($template->error());
- MessageToMTA($message);
+ MessageToMTA($message, SEND_NOW);
- $vars->{'token'} = $newtoken;
- $vars->{'emailaddress'} = $new_email . $email_suffix;
+ # If we come here, then the new address exists. We now email the current
+ # address, but we don't want to stop the process if it no longer exists,
+ # to give a chance to the user to confirm the email address change.
+ $vars->{'token'} = $token;
- $message = "";
- $template->process("account/email/change-new.txt.tmpl", $vars, \$message)
+ $message = '';
+ $template->process('account/email/change-old.txt.tmpl', $vars, \$message)
|| ThrowTemplateError($template->error());
- MessageToMTA($message);
+ eval { MessageToMTA($message, SEND_NOW); };
+
+ # Give the user a chance to cancel the process even if he never got
+ # the email above. The token is required.
+ return $token;
}
# Generates a random token, adds it to the tokens table, and sends it
@@ -543,17 +551,15 @@ Bugzilla::Token - Provides different routines to manage tokens.
Returns: Nothing. It throws an error if the same user made the same
request in the last few minutes.
-=item C<sub IssueEmailChangeToken($user, $new_email)>
+=item C<sub IssueEmailChangeToken($new_email)>
Description: Sends two distinct tokens per email to the old and new email
addresses to confirm the email address change for the given
user. These tokens remain valid for the next MAX_TOKEN_AGE days.
- Params: $user - User object of the user requesting a new
- email address.
- $new_email - The new email address of the user.
+ Params: $new_email - The new email address of the user.
- Returns: Nothing.
+ Returns: The token to cancel the request.
=item C<IssuePasswordToken($user)>
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 01d5fdf4e..ca9b5aa28 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -2429,6 +2429,9 @@ sub check_account_creation_enabled {
sub check_and_send_account_creation_confirmation {
my ($self, $login) = @_;
+ my $dbh = Bugzilla->dbh;
+
+ $dbh->bz_start_transaction;
$login = $self->check_login_name($login);
my $creation_regexp = Bugzilla->params->{'createemailregexp'};
@@ -2443,6 +2446,8 @@ sub check_and_send_account_creation_confirmation {
# Create and send a token for this new account.
require Bugzilla::Token;
Bugzilla::Token::issue_new_user_account_token($login);
+
+ $dbh->bz_commit_transaction;
}
# This is used in a few performance-critical areas where we don't want to