From 75b2accb3ad0c02aff7d1c5925456040abb130a8 Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Thu, 4 Aug 2011 22:44:48 +0200
Subject: Bug 670868: (CVE-2011-2978) [SECURITY] Account preferences page
 trusts user-modifiable field for obtaining current e-mail address r/a=LpSolit

---
 userprefs.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'userprefs.cgi')

diff --git a/userprefs.cgi b/userprefs.cgi
index 009361324..f411326a2 100755
--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -85,7 +85,7 @@ sub SaveAccount {
     my $pwd1 = $cgi->param('new_password1');
     my $pwd2 = $cgi->param('new_password2');
 
-    my $old_login_name = $cgi->param('old_login');
+    my $old_login_name = $user->login;
     my $new_login_name = trim($cgi->param('new_login_name'));
 
     if ($user->authorizer->can_change_password
-- 
cgit v1.2.3-24-g4f1b