From 2ea4b3d38e8a012f61d20e6831daaf06493c3d95 Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Wed, 4 Aug 2010 23:41:02 +0200
Subject: Bug 450013: (CVE-2010-2757) [SECURITY] Can sudo a user without
 sending email r=glob a=LpSolit

---
 relogin.cgi | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'relogin.cgi')

diff --git a/relogin.cgi b/relogin.cgi
index 7dcbde625..0e04b1bdc 100755
--- a/relogin.cgi
+++ b/relogin.cgi
@@ -147,12 +147,13 @@ elsif ($action eq 'begin-sudo') {
     $reason = substr($reason, $[, 200);
     
     # Calculate the session expiry time (T + 6 hours)
-    my $time_string = time2str('%a, %d-%b-%Y %T %Z', time+(6*60*60), 'GMT');
+    my $time_string = time2str('%a, %d-%b-%Y %T %Z', time + MAX_SUDO_TOKEN_AGE, 'GMT');
 
     # For future sessions, store the unique ID of the target user
+    my $token = Bugzilla::Token::_create_token($user->id, 'sudo', $target_user->id);
     $cgi->send_cookie('-name'    => 'sudo',
                       '-expires' => $time_string,
-                      '-value'   => $target_user->id
+                      '-value'   => $token
     );
     
     # For the present, change the values of Bugzilla::user & Bugzilla::sudoer
@@ -173,6 +174,7 @@ elsif ($action eq 'begin-sudo') {
 # end-sudo: End the current sudo session (if one is in progress)
 elsif ($action eq 'end-sudo') {
     # Regardless of our state, delete the sudo cookie if it exists
+    my $token = $cgi->cookie('sudo');
     $cgi->remove_cookie('sudo');
 
     # Are we in an sudo session?
@@ -181,6 +183,8 @@ elsif ($action eq 'end-sudo') {
     if (defined($sudoer)) {
         Bugzilla->sudo_request($sudoer, undef);
     }
+    # Now that the session is over, remove the token from the DB.
+    delete_token($token);
 
     # NOTE: If you want to log the end of an sudo session, so it here.
     
-- 
cgit v1.2.3-24-g4f1b