Bug 340538: Insecure dependency in exec while running with -T switch at /usr/lib/perl5/site_perl/5.8.6/Mail/Mailer/sendmail.pm line 16.

Patch by Marc Schumann <wurblzap@gmail.com>,
r=LpSolit, a=myk

4 files changed, 15 insertions, 5 deletions

diff --git a/Bugzilla/Auth/Verify.pm b/Bugzilla/Auth/Verify.pm
index 52cebb5ea..deb5f4e95 100644
--- a/Bugzilla/Auth/Verify.pm
+++ b/Bugzilla/Auth/Verify.pm
@@ -77,6 +77,11 @@ sub create_or_update_user {
               || return { failure => AUTH_ERROR, 
                           error   => 'auth_invalid_email',
                           details => {addr => $username} };
+            # Usually we'd call validate_password, but external authentication
+            # systems might follow different standards than ours. So in this
+            # place here, we call trick_taint without checks.
+            trick_taint($password);
+
             # XXX Theoretically this could fail with an error, but the fix for
             # that is too involved to be done right now.
             my $user = Bugzilla::User->create({ 
@@ -111,9 +116,6 @@ sub create_or_update_user {
         validate_email_syntax($username)
           || return { failure => AUTH_ERROR, error => 'auth_invalid_email',
                       details => {addr => $username} };
-        # Username is more than likely tainted, but we only use it in a
-        # placeholder, and we've already validated it, so it's safe.
-        trick_taint($username);
         $dbh->do('UPDATE profiles SET login_name = ? WHERE userid = ?',
                  undef, $username, $user->id);
     }
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index a0f6b0c8e..051514b01 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -59,7 +59,6 @@ sub issue_new_user_account_token {
     # an error because the user may have lost his email with the token inside.
     # But to prevent using this way to mailbomb an email address, make sure
     # the last request is at least 10 minutes old before sending a new email.
-    trick_taint($login_name);
 
     my $pending_requests =
         $dbh->selectrow_array('SELECT COUNT(*)
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index 02f17b85d..33c8535f5 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -1490,7 +1490,8 @@ sub is_available_username {
 sub login_to_id {
     my ($login, $throw_error) = @_;
     my $dbh = Bugzilla->dbh;
-    # $login will only be used by the following SELECT statement, so it's safe.
+    # No need to validate $login -- it will be used by the following SELECT
+    # statement only, so it's safe to simply trick_taint.
     trick_taint($login);
     my $user_id = $dbh->selectrow_array("SELECT userid FROM profiles WHERE " .
                                         $dbh->sql_istrcmp('login_name', '?'),
@@ -1525,6 +1526,8 @@ sub validate_password {
     } elsif ((defined $matchpassword) && ($password ne $matchpassword)) {
         ThrowUserError('passwords_dont_match');
     }
+    # Having done these checks makes us consider the password untainted.
+    trick_taint($_[0]);
     return 1;
 }
 
@@ -1966,6 +1969,7 @@ we return an empty string.
 
 Returns true if a password is valid (i.e. meets Bugzilla's
 requirements for length and content), else returns false.
+Untaints C<$passwd1> if successful.
 
 If a second password is passed in, this function also verifies that
 the two passwords match.
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index d346d2547..4a87ff042 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -456,6 +456,10 @@ sub validate_email_syntax {
     my ($addr) = @_;
     my $match = Bugzilla->params->{'emailregexp'};
     my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/);
+    if ($ret) {
+        # We assume these checks to suffice to consider the address untainted.
+        trick_taint($_[0]);
+    }
     return $ret ? 1 : 0;
 }
 
@@ -893,6 +897,7 @@ and tokens.
 
 Do a syntax checking for a legal email address and returns 1 if
 the check is successful, else returns 0.
+Untaints C<$email> if successful.
 
 =item C<validate_date($date)>