From ea2d2a47281ac947297587c2619df190bf3c23c4 Mon Sep 17 00:00:00 2001 From: "wurblzap%gmail.com" <> Date: Sat, 21 Oct 2006 01:52:24 +0000 Subject: Bug 340538: Insecure dependency in exec while running with -T switch at /usr/lib/perl5/site_perl/5.8.6/Mail/Mailer/sendmail.pm line 16. Patch by Marc Schumann , r=LpSolit, a=myk --- token.cgi | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) (limited to 'token.cgi') diff --git a/token.cgi b/token.cgi index 282d2fcbb..e45f49fba 100755 --- a/token.cgi +++ b/token.cgi @@ -64,9 +64,8 @@ if ($cgi->param('t')) { $::token = $cgi->param('t'); # Make sure the token contains only valid characters in the right amount. - # Validate password will throw an error if token is invalid + # validate_password will throw an error if token is invalid validate_password($::token); - trick_taint($::token); # Only used in placeholders Bugzilla::Token::CleanTokenTable(); @@ -102,8 +101,10 @@ if ($cgi->param('t')) { # If the user is requesting a password change, make sure they submitted # their login name and it exists in the database, and that the DB module is in # the list of allowed verification methods. +my $login_name; if ( $::action eq 'reqpw' ) { - defined $cgi->param('loginname') + $login_name = $cgi->param('loginname'); + defined $login_name || ThrowUserError("login_needed_for_password_change"); # check verification methods @@ -111,27 +112,25 @@ if ( $::action eq 'reqpw' ) { ThrowUserError("password_change_requests_not_allowed"); } - # Make sure the login name looks like an email address. - validate_email_syntax($cgi->param('loginname')) - || ThrowUserError('illegal_email_address', - {addr => $cgi->param('loginname')}); + validate_email_syntax($login_name) + || ThrowUserError('illegal_email_address', {addr => $login_name}); - my $loginname = $cgi->param('loginname'); - trick_taint($loginname); # Used only in a placeholder my ($user_id) = $dbh->selectrow_array('SELECT userid FROM profiles WHERE ' . $dbh->sql_istrcmp('login_name', '?'), - undef, $loginname); + undef, $login_name); $user_id || ThrowUserError("account_inexistent"); } # If the user is changing their password, make sure they submitted a new # password and that the new password is valid. +my $password; if ( $::action eq 'chgpw' ) { - defined $cgi->param('password') + $password = $cgi->param('password'); + defined $password && defined $cgi->param('matchpassword') || ThrowUserError("require_new_password"); - validate_password($cgi->param('password'), $cgi->param('matchpassword')); + validate_password($password, $cgi->param('matchpassword')); } ################################################################################ @@ -143,13 +142,13 @@ if ( $::action eq 'chgpw' ) { # that variable and runs the appropriate code. if ($::action eq 'reqpw') { - requestChangePassword(); + requestChangePassword($login_name); } elsif ($::action eq 'cfmpw') { confirmChangePassword(); } elsif ($::action eq 'cxlpw') { cancelChangePassword(); } elsif ($::action eq 'chgpw') { - changePassword(); + changePassword($password); } elsif ($::action eq 'cfmem') { confirmChangeEmail(); } elsif ($::action eq 'cxlem') { @@ -176,7 +175,8 @@ exit; ################################################################################ sub requestChangePassword { - Bugzilla::Token::IssuePasswordToken($cgi->param('loginname')); + my ($login_name) = @_; + Bugzilla::Token::IssuePasswordToken($login_name); $vars->{'message'} = "password_change_request"; @@ -203,11 +203,11 @@ sub cancelChangePassword { } sub changePassword { + my ($password) = @_; my $dbh = Bugzilla->dbh; # Create a crypted version of the new password - my $cryptedpassword = bz_crypt($cgi->param('password')); - trick_taint($cryptedpassword); # Used only in a placeholder + my $cryptedpassword = bz_crypt($password); # Get the user's ID from the tokens table. my ($userid) = $dbh->selectrow_array('SELECT userid FROM tokens @@ -369,13 +369,13 @@ sub request_create_account { sub confirm_create_account { my (undef, undef, $login_name) = Bugzilla::Token::GetTokenData($::token); - validate_password($cgi->param('passwd1') || '', - $cgi->param('passwd2') || ''); + my $password = $cgi->param('passwd1') || ''; + validate_password($password, $cgi->param('passwd2') || ''); my $otheruser = Bugzilla::User->create({ login_name => $login_name, realname => $cgi->param('realname'), - cryptpassword => $cgi->param('passwd1')}); + cryptpassword => $password}); # Now delete this token. delete_token($::token); -- cgit v1.2.3-24-g4f1b