diff options
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/Auth/Verify.pm | 8 | ||||
| -rw-r--r-- | Bugzilla/Token.pm | 1 | ||||
| -rw-r--r-- | Bugzilla/User.pm | 6 | ||||
| -rw-r--r-- | Bugzilla/Util.pm | 5 |
4 files changed, 15 insertions, 5 deletions
diff --git a/Bugzilla/Auth/Verify.pm b/Bugzilla/Auth/Verify.pm index 52cebb5ea..deb5f4e95 100644 --- a/Bugzilla/Auth/Verify.pm +++ b/Bugzilla/Auth/Verify.pm @@ -77,6 +77,11 @@ sub create_or_update_user { || return { failure => AUTH_ERROR, error => 'auth_invalid_email', details => {addr => $username} }; + # Usually we'd call validate_password, but external authentication + # systems might follow different standards than ours. So in this + # place here, we call trick_taint without checks. + trick_taint($password); + # XXX Theoretically this could fail with an error, but the fix for # that is too involved to be done right now. my $user = Bugzilla::User->create({ @@ -111,9 +116,6 @@ sub create_or_update_user { validate_email_syntax($username) || return { failure => AUTH_ERROR, error => 'auth_invalid_email', details => {addr => $username} }; - # Username is more than likely tainted, but we only use it in a - # placeholder, and we've already validated it, so it's safe. - trick_taint($username); $dbh->do('UPDATE profiles SET login_name = ? WHERE userid = ?', undef, $username, $user->id); } diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm index a0f6b0c8e..051514b01 100644 --- a/Bugzilla/Token.pm +++ b/Bugzilla/Token.pm @@ -59,7 +59,6 @@ sub issue_new_user_account_token { # an error because the user may have lost his email with the token inside. # But to prevent using this way to mailbomb an email address, make sure # the last request is at least 10 minutes old before sending a new email. - trick_taint($login_name); my $pending_requests = $dbh->selectrow_array('SELECT COUNT(*) diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index 02f17b85d..33c8535f5 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -1490,7 +1490,8 @@ sub is_available_username { sub login_to_id { my ($login, $throw_error) = @_; my $dbh = Bugzilla->dbh; - # $login will only be used by the following SELECT statement, so it's safe. + # No need to validate $login -- it will be used by the following SELECT + # statement only, so it's safe to simply trick_taint. trick_taint($login); my $user_id = $dbh->selectrow_array("SELECT userid FROM profiles WHERE " . $dbh->sql_istrcmp('login_name', '?'), @@ -1525,6 +1526,8 @@ sub validate_password { } elsif ((defined $matchpassword) && ($password ne $matchpassword)) { ThrowUserError('passwords_dont_match'); } + # Having done these checks makes us consider the password untainted. + trick_taint($_[0]); return 1; } @@ -1966,6 +1969,7 @@ we return an empty string. Returns true if a password is valid (i.e. meets Bugzilla's requirements for length and content), else returns false. +Untaints C<$passwd1> if successful. If a second password is passed in, this function also verifies that the two passwords match. diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index d346d2547..4a87ff042 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -456,6 +456,10 @@ sub validate_email_syntax { my ($addr) = @_; my $match = Bugzilla->params->{'emailregexp'}; my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/); + if ($ret) { + # We assume these checks to suffice to consider the address untainted. + trick_taint($_[0]); + } return $ret ? 1 : 0; } @@ -893,6 +897,7 @@ and tokens. Do a syntax checking for a legal email address and returns 1 if the check is successful, else returns 0. +Untaints C<$email> if successful. =item C<validate_date($date)> |