From 3771585c730f31f36a5efa3bd6b053ddf66bb2ba Mon Sep 17 00:00:00 2001
From: Dave Lawrence <dlawrence@mozilla.com>
Date: Wed, 16 Oct 2013 12:05:10 -0400
Subject: Bug 906745 - In MySQL, tokens are not case-sensitive, reducing total
 entropy and allowing easier brute force r=LpSolit,a=glob

---
 token.cgi | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'token.cgi')

diff --git a/token.cgi b/token.cgi
index 20870159a..ae9800d72 100755
--- a/token.cgi
+++ b/token.cgi
@@ -67,9 +67,10 @@ if ($token) {
   trick_taint($token);
 
   # Make sure the token exists in the database.
-  my ($tokentype) = $dbh->selectrow_array('SELECT tokentype FROM tokens
-                                           WHERE token = ?', undef, $token);
-  $tokentype || ThrowUserError("token_does_not_exist");
+  my ($db_token, $tokentype) = $dbh->selectrow_array('SELECT token, tokentype FROM tokens
+                                                       WHERE token = ?', undef, $token);
+  (defined $db_token && $db_token eq $token && $tokentype)
+    || ThrowUserError("token_does_not_exist");
 
   # Make sure the token is the correct type for the action being taken.
   if ( grep($action eq $_ , qw(cfmpw cxlpw chgpw)) && $tokentype ne 'password' ) {
-- 
cgit v1.2.3-24-g4f1b