summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorjustdave%bugzilla.org <>2004-10-25 16:12:21 +0200
committerjustdave%bugzilla.org <>2004-10-25 16:12:21 +0200
commitb121584e4a4c4dd1ca7ffd1d8cdf51b8a8551a07 (patch)
treed88153a539062fe3fa7ede87f89bd60ed000d533 /Bugzilla
parentfe879a3de04a808143d9601efd045d24e4346759 (diff)
downloadbugzilla-b121584e4a4c4dd1ca7ffd1d8cdf51b8a8551a07.tar.gz
bugzilla-b121584e4a4c4dd1ca7ffd1d8cdf51b8a8551a07.tar.xz
Bug 250897: Enforce a 10 minute waiting period between password reset attempts to prevent the user getting mailbombed if the form is submitted multiple times.
Patch by Joel Peshkin <bugreport@peshkin.net> r=kiko, a=justdave
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Token.pm16
1 files changed, 12 insertions, 4 deletions
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index d7d326ccc..55362d184 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -116,11 +116,19 @@ sub IssuePasswordToken {
# Retrieve the user's ID from the database.
my $quotedloginname = &::SqlQuote($loginname);
- &::SendSQL("SELECT userid FROM profiles WHERE login_name = $quotedloginname");
- my ($userid) = &::FetchSQLData();
+ &::SendSQL("SELECT profiles.userid, tokens.issuedate FROM profiles
+ LEFT JOIN tokens
+ ON tokens.userid = profiles.userid
+ AND tokens.tokentype = 'password'
+ AND tokens.issuedate > DATE_SUB(NOW(), INTERVAL 10 MINUTE)
+ WHERE login_name = $quotedloginname");
+ my ($userid, $toosoon) = &::FetchSQLData();
+
+ if ($toosoon) {
+ ThrowUserError('too_soon_for_new_token');
+ };
my $token_ts = time();
- my $issuedate = time2str("%Y-%m-%d %H:%M", $token_ts);
# Generate a unique token and insert it into the tokens table.
# We have to lock the tokens table before generating the token,
@@ -130,7 +138,7 @@ sub IssuePasswordToken {
my $quotedtoken = &::SqlQuote($token);
my $quotedipaddr = &::SqlQuote($::ENV{'REMOTE_ADDR'});
&::SendSQL("INSERT INTO tokens ( userid , issuedate , token , tokentype , eventdata )
- VALUES ( $userid , '$issuedate' , $quotedtoken , 'password' , $quotedipaddr )");
+ VALUES ( $userid , NOW() , $quotedtoken , 'password' , $quotedipaddr )");
&::SendSQL("UNLOCK TABLES");
# Mail the user the token along with instructions for using it.