summaryrefslogtreecommitdiffstats
path: root/token.cgi
AgeCommit message (Collapse)AuthorFilesLines
2014-10-06merged with upstream 4.2David Lawrence1-1/+1
2014-10-06Bug 1075578: [SECURITY] Improper filtering of CGI argumentsFrédéric Buclin1-1/+1
r=dkl,a=sgreen
2014-03-17Bug 983549: changes to the profiles table in token.cgi are not clearing ↵Byron Jones1-0/+3
memcached entries
2013-10-16Bug 906745 - In MySQL, tokens are not case-sensitive, reducing total entropy ↵Dave Lawrence1-1/+1
and allowing easier brute force r=LpSolit,a=sgreen
2013-10-16Bug 906745 - In MySQL, tokens are not case-sensitive, reducing total entropy ↵Dave Lawrence1-3/+4
and allowing easier brute force r=LpSolit,a=glob
2012-08-06Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized ↵Frédéric Buclin1-0/+5
password reset e-mail request r=reed a=LpSolit
2011-12-28Bug 711714: (CVE-2011-3667) [SECURITY] The User.offer_account_by_email ↵Frédéric Buclin1-0/+2
WebService method lets you create new user accounts independently of the value of Bugzilla::Auth::Verify::*::user_can_create_account r=dkl a=LpSolit
2011-07-05Bug 658929 - User autocomplete is very slow when there are lots of users in ↵David Lawrence1-1/+1
the profiles table r/a=mkanat
2010-05-20Bug 565879: Merge ThrowCodeError("action_unrecognized"), ↵Frédéric Buclin1-5/+2
ThrowUserError("no_valid_action") and ThrowCodeError("unknown_action") r=ghendricks a=LpSolit
2009-10-09Bug 514913: Eliminate ssl="authenticated sessions"mkanat%bugzilla.org1-8/+0
Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat
2009-09-11Bug 508189: (CVE-2009-3166) [SECURITY] Logging in after changing your ↵mkanat%bugzilla.org1-0/+4
password would expose your new password in the URL Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=mkanat
2009-08-11Bug 349336: Automatically log in the user when he chooses his password to ↵lpsolit%gmail.com1-2/+6
create his new account - Patch by Frédéric Buclin <LpSolit@gmail.com> r/a=mkanat
2009-06-12496856 - correct patchbbaetz%acm.org1-1/+1
(original patch r/a=mkanat)
2009-06-10Bug 496856 - Fix token.cgi transaction handlingbbaetz%acm.org1-5/+9
2009-01-08Bug 452519: Fix timezones in emails - Patch by Frédéric Buclin ↵lpsolit%gmail.com1-1/+2
<LpSolit@gmail.com> r=wicked a=LpSolit
2008-09-20Bug 455814: token.cgi should reject password change requests for disabled ↵lpsolit%gmail.com1-0/+6
accounts - Patch by Frédéric Buclin <LpSolit@gmail.com> r=ghendricks a=LpSolit
2008-09-19Bug 455815: Remove global variables from token.cgi - Patch by Frédéric ↵lpsolit%gmail.com1-65/+70
Buclin <LpSolit@gmail.com> r/a=mkanat
2008-08-18Bug 428659 – Setting SSL param to 'authenticated sessions' only ↵dkl%redhat.com1-2/+3
protects logins and param doesn't protect WebService calls at all Patch by David Lawrence <dkl@redhat.com> - r/a=LpSolit/mkanat
2008-07-29Backing out these patches as they cause a regression. More informationdkl%redhat.com1-3/+5
in the respective bug reports. Bug 428659 – Setting SSL param to 'authenticated sessions' only protects logins and param doesn't protect WebService calls at all Patch by Dave Lawrence <dkl@redhat.com> - r/a=mkanat Bug 445104: ssl redirects come with a 200 OK HTTP code on mod_perl Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat
2008-07-10Bug 428659 – Setting SSL param to 'authenticated sessions' only ↵dkl%redhat.com1-5/+3
protects logins and param doesn't protect WebService calls at all Patch by Dave Lawrence <dkl@redhat.com> - r/a=mkanat
2008-04-03Bug 405946: Some emails are not sent in the language chosen by the addressee ↵lpsolit%gmail.com1-11/+7
- Patch by Frédéric Buclin <LpSolit@gmail.com> r=wurblzap a=LpSolit
2007-11-19Bug 403834: Replace table locks with database transactions in tokens, votes, ↵lpsolit%gmail.com1-8/+4
and sanitycheck - Patch by Emmanuel Seyman <eseyman@linagora.com> r/a=mkanat
2007-10-19Bug 399954: Make Bugzilla able to hold its dependencies in a local directorymkanat%bugzilla.org1-1/+1
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=LpSolit
2007-07-23Bug 238651 (a&b) Include the login name (in <code>) for "account_inexistent" ↵timeless%mozdev.org1-1/+1
error r=lpsolit a=lpsolit
2007-07-10Bug 365472 rename 'token_inexistent' to 'token_does_not_exist' or somethingtimeless%mozdev.org1-1/+1
r=lpsolit a=lpsolit
2007-03-11Bug 366466 - "flag notification mail has canceled spelled incorrectly" ↵reed%reedloden.com1-5/+5
[p=reed r=timeless a=mkanat]
2006-10-21Bug 340538: Insecure dependency in exec while running with -T switch at ↵wurblzap%gmail.com1-20/+20
/usr/lib/perl5/site_perl/5.8.6/Mail/Mailer/sendmail.pm line 16. Patch by Marc Schumann <wurblzap@gmail.com>, r=LpSolit, a=myk
2006-10-15Bug 281181: [SECURITY] It's way too easy to delete ↵lpsolit%gmail.com1-1/+1
versions/components/milestones etc... - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=myk
2006-08-26Bug 349349: Use ->create from Bugzilla::Object instead of insert_new_user ↵mkanat%bugzilla.org1-25/+7
for Bugzilla::User Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=myk
2006-08-20Bug 87795: Creating an account should send token and wait for confirmation ↵lpsolit%gmail.com1-0/+87
(prevent user account abuse) - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat r=bkor a=myk
2006-07-06Bug 173629: Clean up "my" variable scoping issues for mod_perlmkanat%bugzilla.org1-3/+3
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=myk
2006-06-21Bug 282121: Remove globals.pl from scripts that no longer use it - Patch by ↵lpsolit%gmail.com1-9/+3
Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=myk
2006-06-20Spelling in code comments patch: 'methids' -> 'methods'; patch by Vlad ↵vladd%bugzilla.org1-1/+1
Dascalu <vladd@bugzilla.org>.
2006-05-12Bug 300410: Bugzilla::Auth needs to be restructured to not require a BEGIN blockmkanat%bugzilla.org1-1/+1
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=myk
2006-05-08Bug 332598: Move ValidatePassword() and DBNameToIdAndCheck() from globals.pl ↵lpsolit%gmail.com1-2/+2
into User.pm - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=myk
2005-10-25Bug 312157: Remove $::template and $::vars from globals.pl - Patch by Olav ↵lpsolit%gmail.com1-4/+4
Vitters <bugzilla-mozilla@bkor.dhs.org> r=LpSolit a=justdave
2005-10-24Bug 312307: Misused Throw*Error tags in code and templates - Patch by Dennis ↵lpsolit%gmail.com1-4/+2
Melentyev <dennis.melentyev@infopulse.com.ua> r=LpSolit a=justdave
2005-10-12Bug 303697: Eliminate deprecated Bugzilla::DB routines from token.cgi - ↵lpsolit%gmail.com1-40/+42
Patch by Teemu Mannermaa <wicked@etlicon.fi> r=LpSolit a=justdave
2005-08-19Bug 304583: Remove all remaining need to rederive inherited groupsbugreport%peshkin.net1-2/+2
Patch by Joel Peshkin <bugreport@peshkin.net> r=mkanat, a=justdave
2005-08-16Bug 304653: remove 'use Bugzilla::Error' from Util.pm - Patch by Frédéric ↵lpsolit%gmail.com1-3/+4
Buclin <LpSolit@gmail.com> r=mkanat a=myk
2005-08-10Bug 301508: Remove CGI.pl - Patch by Frédéric Buclin <LpSolit@gmail.com> ↵lpsolit%gmail.com1-1/+1
r=mkanat,wicked a=justdave
2005-07-21Bug 301453: Move CheckEmailSyntax out of CGI.pl - Patch by Frédéric Buclin ↵lpsolit%gmail.com1-1/+1
<LpSolit@gmail.com> r=mkanat a=myk
2005-07-13Bug 300336: Bugzilla::Auth should not contain any exported subroutinesmkanat%kerio.com1-1/+1
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=justdave
2005-07-08Bug 285695: [PostgreSQL] Username checks for login, etc. need to be case ↵mkanat%kerio.com1-1/+3
insensitive Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=justdave
2005-02-18Bug 280503: Replace "LOCK/UNLOCK TABLES" with Bugzilla::DB function callmkanat%kerio.com1-8/+13
Patch By Tomas Kopal <Tomas.Kopal@altap.cz> r=mkanat,a=myk
2005-02-09Bug 280994 : Move ValidateNewUser out of globals.pltravis%sedsystems.ca1-1/+1
Patch by Max Kanat-Alexander <mkanat@kerio.com> r=vladd a=justdave
2005-02-01Bug 278792 : Move Crypt() to Bugzilla::Authtravis%sedsystems.ca1-1/+2
Patch by Max Kanat-Alexander <mkanat@kerio.com> r=vladd a=justdave
2004-07-21Bug 241900: Allow Bugzilla::Auth to have multiple login and validation stylesbugreport%peshkin.net1-1/+8
patch by erik r=joel, kiko a=myk
2004-03-27Fix for bug 234175: Remove deprecated ConnectToDatabase() andkiko%async.com.br1-3/+3
quietly_check_login()/confirm_login() calls. Cleans up callsites (consisting of most of our CGIs), swapping (where appropriate) for calls to Bugzilla->login. Patch by Teemu Mannermaa <wicked@etlicon.fi>. r=bbaetz, kiko. a=justdave.
2004-03-27Fix for bug 226764: Move InvalidateLogins into Bugzilla::Auth::CGI.kiko%async.com.br1-1/+1
Consolidates the logout code into Bugzilla::Auth::CGI, and provides simple front-end wrappers in Bugzilla.pm for use in the CGIs we have. r=bbaetz, joel; a=justdave. Adds a set of constants to the logout() API which allow specifying "how much" we should log out -- all sessions, the current session, or all sessions but the current one. Fixes callsites to use this new API; cleans and documents things a bit while we're at it. Part I in the great COOKIE apocalypse.