From fd87911bb05e072c61628bd313579d06e95f2525 Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Mon, 5 May 2008 04:55:06 +0000 Subject: Bug 419188: [SECURITY] email_in.pl lets you set the changer as @reporter instead of only checking the "From" header - Patch by Frédéric Buclin r=mkanat a=LpSolit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- email_in.pl | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'email_in.pl') diff --git a/email_in.pl b/email_in.pl index 864bdee7f..81637ebc4 100644 --- a/email_in.pl +++ b/email_in.pl @@ -106,6 +106,16 @@ sub parse_mail { if ($line =~ /^@(\S+)\s*=\s*(.*)\s*/) { $current_field = lc($1); + # It's illegal to pass the reporter field as you could + # override the "From:" field of the message and bypass + # authentication checks, such as PGP. + if ($current_field eq 'reporter') { + # We reset the $current_field variable to something + # post_bug and process_bug will ignore, in case the + # attacker splits the reporter field on several lines. + $current_field = 'illegal_field'; + next; + } $fields{$current_field} = $2; } else { -- cgit v1.2.3-24-g4f1b