diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2011-12-28 23:15:49 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2011-12-28 23:15:49 +0100 |
commit | d95d2ff05f816c4023fdaa6db14819f86d3044bf (patch) | |
tree | 3bea800fbb0c26515eb576778d2f2875e61b8d77 /token.cgi | |
parent | 6f323ff54643622bcd31f6b7577ab1a23d16f590 (diff) | |
download | bugzilla-d95d2ff05f816c4023fdaa6db14819f86d3044bf.tar.gz bugzilla-d95d2ff05f816c4023fdaa6db14819f86d3044bf.tar.xz |
Bug 711714: (CVE-2011-3667) [SECURITY] The User.offer_account_by_email WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account
r=dkl a=LpSolit
Diffstat (limited to 'token.cgi')
-rwxr-xr-x | token.cgi | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -352,6 +352,7 @@ sub cancelChangeEmail { sub request_create_account { my $token = shift; + Bugzilla->user->check_account_creation_enabled; my (undef, $date, $login_name) = Bugzilla::Token::GetTokenData($token); $vars->{'token'} = $token; $vars->{'email'} = $login_name . Bugzilla->params->{'emailsuffix'}; @@ -365,6 +366,7 @@ sub request_create_account { sub confirm_create_account { my $token = shift; + Bugzilla->user->check_account_creation_enabled; my (undef, undef, $login_name) = Bugzilla::Token::GetTokenData($token); my $password = $cgi->param('passwd1') || ''; |