From 2d792a108434d9ea59ebf75ae09fb69cbab6fb71 Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Wed, 28 Dec 2011 23:11:44 +0100
Subject: Bug 711714: (CVE-2011-3667) [SECURITY] The
 User.offer_account_by_email WebService method lets you create new user
 accounts independently of the value of
 Bugzilla::Auth::Verify::*::user_can_create_account r=glob a=LpSolit

---
 createaccount.cgi | 29 +++--------------------------
 1 file changed, 3 insertions(+), 26 deletions(-)

(limited to 'createaccount.cgi')

diff --git a/createaccount.cgi b/createaccount.cgi
index 09999865f..acc63e891 100755
--- a/createaccount.cgi
+++ b/createaccount.cgi
@@ -31,35 +31,19 @@ use lib qw(. lib);
 use Bugzilla;
 use Bugzilla::Constants;
 use Bugzilla::Error;
-use Bugzilla::User;
-use Bugzilla::BugMail;
-use Bugzilla::Util;
 use Bugzilla::Token;
 
 # Just in case someone already has an account, let them get the correct footer
 # on an error message. The user is logged out just after the account is
 # actually created.
 my $user = Bugzilla->login(LOGIN_OPTIONAL);
-
-my $dbh = Bugzilla->dbh;
 my $cgi = Bugzilla->cgi;
 my $template = Bugzilla->template;
-my $vars = {};
-
-$vars->{'doc_section'} = 'myaccount.html';
+my $vars = { doc_section => 'myaccount.html' };
 
 print $cgi->header();
 
-# If we're using LDAP for login, then we can't create a new account here.
-unless ($user->authorizer->user_can_create_account) {
-    ThrowUserError("auth_cant_create_account");
-}
-
-my $createexp = Bugzilla->params->{'createemailregexp'};
-unless ($createexp) {
-    ThrowUserError("account_creation_disabled");
-}
-
+$user->check_account_creation_enabled;
 my $login = $cgi->param('login');
 
 if (defined($login)) {
@@ -68,16 +52,9 @@ if (defined($login)) {
     my $token = $cgi->param('token');
     check_hash_token($token, ['create_account']);
 
-    $login = Bugzilla::User->check_login_name_for_creation($login);
+    $user->check_and_send_account_creation_confirmation($login);
     $vars->{'login'} = $login;
 
-    if ($login !~ /$createexp/i) {
-        ThrowUserError("account_creation_restricted");
-    }
-
-    # Create and send a token for this new account.
-    Bugzilla::Token::issue_new_user_account_token($login);
-
     $template->process("account/created.html.tmpl", $vars)
       || ThrowTemplateError($template->error());
     exit;
-- 
cgit v1.2.3-24-g4f1b