From 052c5ebc181807287a6c9d972dbed7405cd00ef2 Mon Sep 17 00:00:00 2001
From: "mkanat%bugzilla.org" <>
Date: Wed, 19 Sep 2007 04:28:30 +0000
Subject: Bug 395632: [SECURITY] XML-RPC WebService
 Bugzilla::User::offer_account_by_email does not check createemailregexp Patch
 By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, r=Wurblzap, a=mkanat

---
 Bugzilla/WebService/Constants.pm | 2 ++
 Bugzilla/WebService/User.pm      | 8 ++++++++
 2 files changed, 10 insertions(+)

(limited to 'Bugzilla/WebService')

diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 43e4c1c8e..139ec1b7b 100755
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -83,6 +83,8 @@ use constant WS_ERROR_CODE => {
     # User errors are 500-600.
     account_exists        => 500,
     illegal_email_address => 501,
+    account_creation_disabled   => 501,
+    account_creation_restricted => 501,
     password_too_short    => 502,
     password_too_long     => 503,
     invalid_username      => 504,
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index db02ff75a..f839e2a9d 100755
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -74,6 +74,14 @@ sub offer_account_by_email {
     my $email = trim($params->{email})
         || ThrowCodeError('param_required', { param => 'email' });
 
+    my $createexp = Bugzilla->params->{'createemailregexp'};
+    if (!$createexp) {
+        ThrowUserError("account_creation_disabled");
+    }
+    elsif ($email !~ /$createexp/) {
+        ThrowUserError("account_creation_restricted");
+    }
+
     $email = Bugzilla::User->check_login_name_for_creation($email);
 
     # Create and send a token for this new account.
-- 
cgit v1.2.3-24-g4f1b