Closed Bug 165221 Opened 22 years ago Closed 22 years ago

Apostrophes are not properly handled in e-mail addresses

Categories

(Bugzilla :: Email Notifications, defect, P1)

Product:
Bugzilla
Component:
Email Notifications
Version:
2.16
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: toc, Assigned: preed)

References

Details

(Whiteboard: [SECURITY] [fixed in 2.16.1])

Attachments

(1 file, 5 obsolete files)

Checked in patch
1.79 KB, patch
Details | Diff | Splinter Review
My proper e-mail address is Tim_O'Connor@instantiations.com. RFC822 is perfectly happy to allow me to have that apostrophe in my e-mail address but SQL is not. So I attempted to work around SQL by doubling the apostrophe. All's well and my account is accepted. I do not, however, receive any e-mail. Why? Because there is no e-mail account Tim_O''Connor@instantiations.com. When taking an e-mail address from SQL Bugzilla should check for escaped characters (like the double apostrophe) and correct them. I did not, by the way, try escaping the apostrophe with a back-slash as that's not normal SQL.
JayPee - this is yours: sub ValidateNewUser { ... } SendSQL("SELECT eventdata FROM tokens WHERE tokentype = 'emailold' AND eventdata like '%:$username' OR eventdata like '$username:%'"); you cannot do that... What if the username had a : in it, anyway? Why is createaccount.cgi trick_tainting the given email addr? I don't think that this can cause problems, but its a BadIdea to have this reaching the db anyway...
Group: webtools-security?
Whiteboard: [SECURITY?] [want for 2.16.1]
Target Milestone: --- → Bugzilla 2.18
Yeah, this looks like a security bug to me. Accepting, and cc-ing the usual suspects. And as I told bbaetz in IRC: "I'm on it."
Severity: normal → critical
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [SECURITY?] [want for 2.16.1] → [SECURITY] [want for 2.16.1]
Did some preliminary research on this: looks like it's a regression from bug 23067. ValidateNewUser was created to prevent registration of old email addresses that could be used to hijack an account or prevent the original user from reverting to their old address (I *think*). Fixing this is gonna be somewhat of a PITA (or rather, is going to involve more than just the quoting issue) because ':' is used as a delimiter in the token table. "Oops." More on this as it develops...
Attached patch Initial thinking on this (obsolete) — Splinter Review
Here's an initial version of the patch on this; untested, but I'll do that shortly. As bbaetz and I found out on IRC ":" is ok because CGI.pl:CheckEmailSyntax() refuses all addresses with ":" (and a bunch of other things, including ", [, and ], but NOT ', ironically).
Attached patch Take 2 (obsolete) — Splinter Review
That last patch was crap, but this is pure *gold*, I tells ya! Patched a 2.16-release installation and created an account with "'" in it; got the initial account email. Logged in. World rejoiced.
Attachment #97121 - Attachment is obsolete: true
Comment on attachment 97131 [details] [diff] [review] Take 2 globals.pl : the sqlunameOld and New variables don;t match their declarations (U vs u) May as well fix and attach a fresh patch
Attachment #97131 - Flags: review-
Attached patch Take 3: REALLY gold (obsolete) — Splinter Review
Stupid typos. That other one was fool's gold... *this* one is *real* gold.
Attachment #97131 - Attachment is obsolete: true
Comment on attachment 97134 [details] [diff] [review] Take 3: REALLY gold If the username contains a % sign, then because this uses LIKE, that will be included in the query. ditto for _
Attachment #97134 - Flags: review-
Attached patch Take 4? (obsolete) — Splinter Review
I have nothing witty to type this late at night. As bbaetz and I discussed on IRC, there are some real quoting issues with using SQL's like; % is valid in email, as is _. The methodology here is split the string into two using substrings, and check that way. bbaetz wondered out loud if this would impact perf because we're no longer using indices to help, but that field isn't indexed anyway, so...
Attachment #97134 - Attachment is obsolete: true
Attached patch Take 5 (obsolete) — Splinter Review
That's it... I'm not working on this anymore tonight... my stress headache is making me useless. Last patch had a missing ) and a couple of other mysql stupidities I forgot to correct.
Attachment #97137 - Attachment is obsolete: true
Comment on attachment 97141 [details] [diff] [review] Take 5 r=joel (Alternative to SUBSTRING(LOCATE())... SUBSTRING_INDEX(str,delim,count)
Attachment #97141 - Flags: review+
I'm not totally up to speed with this ... do I need to viciously slap JayPee with a copy of the developers' guide or is this a long-standing issue? And who reviewed it if the former?
I thought %% or \% or something was the a way of escaping wildcards in LIKE?
It wasn't JP; it was zeroj (I got confused) I thikn the problem was assuming that checking the email syntax was enough to trick taint it The % thing is separate to this bug, but it was easier to fix it at the same time than to keep it as it was. \% can be use, but then you have to escape the \ to, and.... SUBSTRING_INDEX is not db portable, I think (neither is LEFT or RIGHT) I'll review this later today, hopefully
Then zeroj needs to be told about this. And we still need to know who let it through.
Comment on attachment 97141 [details] [diff] [review] Take 5 The trick_taint was added for the fix for bug 136506, according to cvs, because perl 5.005 was showing taint errors (bug 136506 is probably why people with perl 5.6.1 didn't see it) Anyway, r=bbaetz if you add a comment explaining the fun function usage
Attachment #97141 - Flags: review+
I'll add some comments. So, bbaetz: does the trick_taint have to go back in for 5.005 support?
re: comment 15: This is a regression caused by bug 23067, the huge 'allow users to change their email addr' patch. It was written by zeroJ@null.net (John Vandenberg) (cc'ing him now) and r='ed (at various points in time) by gerv, myk, and justdave. justdave gave it the final 2xr= on 3/31/2002 (but it was given a previous r=myk and 2r=justdave) and checked it in on 4/1/2002: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=Bugzilla&branch=&branchtype=match&dir=&file=&filetype=match&who=justdave%25syndicomm.com&whotype=match&sortby=Date&hours=2&date=explicit&mindate=3%2F29%2F2002+23%3A00%3A00&maxdate=4%2F2%2F2002&cvsroot=%2Fcvsroot
Ok... read a bit more on bug 136506, and it looks like the problem was just with ValidateNewUser(), which calls SqlQuote() now, which de-taintifies things. Gonna check this in.
Checked in on the trunk... Checking in createaccount.cgi; /cvsroot/mozilla/webtools/bugzilla/createaccount.cgi,v <-- createaccount.cgi new revision: 1.25; previous revision: 1.24 done Checking in globals.pl; /cvsroot/mozilla/webtools/bugzilla/globals.pl,v <-- globals.pl new revision: 1.197; previous revision: 1.196 done ... and the 2.16 branch: Checking in createaccount.cgi; /cvsroot/mozilla/webtools/bugzilla/createaccount.cgi,v <-- createaccount.cgi new revision: 1.21.2.3; previous revision: 1.21.2.2 done Checking in globals.pl; /cvsroot/mozilla/webtools/bugzilla/globals.pl,v <-- globals.pl new revision: 1.169.2.10; previous revision: 1.169.2.9 done I'll wait for a verified before removing the security bit.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Attached patch Checked in patchSplinter Review
Patch that was actually checked in; it's just Take 5 + comments requested by bbeatz; adding now to make myk's life easier in patching bmo.
Attachment #97141 - Attachment is obsolete: true
Whiteboard: [SECURITY] [want for 2.16.1] → [SECURITY] [fixed in 2.16.1]
Removing security bit for publication in status report.
Group: webtools-security?
Readding security bit - 2.16 is not out yet.
Group: webtools-security?
Security announcement is posted. Removing the security bit.
Group: webtools-security?
*** Bug 183315 has been marked as a duplicate of this bug. ***
The patch also landed on the 2.16 branch -> TM 2.16.
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
As per comments in bug 415658, does this need to be reopened?
No, we don't need to reopen this one, we need to resolve bug 415658. :-) Gerv
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: