Closed
Bug 123077
Opened 23 years ago
Closed 20 years ago
token.cgi password change accepted with blank second field
Categories
(Bugzilla :: User Accounts, defect, P2)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: gm+bmo, Assigned: goobix)
References
Details
(Whiteboard: [fixed in 2.16.5] [fixed in 2.17.7])
Attachments
(2 files)
1.32 KB,
patch
|
kiko
:
review+
|
Details | Diff | Splinter Review |
1.69 KB,
patch
|
kiko
:
review+
|
Details | Diff | Splinter Review |
If a user goes to change his/her password and leaves the second password field blank, Bugzilla will change the user's password to the contents of the first field. Reccomend changing line 838 of globals.pl (ValidatePassword function) from elsif ( $matchpassword && ...) to elsif ( defined($matchpassword) && ...)
Updated•22 years ago
|
Severity: trivial → normal
Priority: -- → P2
Target Milestone: --- → Bugzilla 2.18
Comment 1•22 years ago
|
||
Zippy's QA just duplicated this....
Comment 2•21 years ago
|
||
*** Bug 210967 has been marked as a duplicate of this bug. ***
Comment 3•21 years ago
|
||
Vladd, this one may interest you :)
Assignee | ||
Comment 5•21 years ago
|
||
I can't reproduce this on landfill, marking fixed. There are 2 interfaces for ValidatePassword in globals.pl, with one and respectively 2 params. The sub works right now okay in both modes, but if we add the change proposed in item0, it will fail for calls that use only one param (you can grep the source with grep -R "ValidatePassword" * in order to see the interfaces and their utilization). In userprefs.cgi we have: ($pwd1 eq $pwd2) || ThrowUserError("passwords_dont_match"); $::FORM{'new_password1'} || ThrowUserError("new_password_missing"); ValidatePassword($pwd1); which assures that we check for non-empty password on the 2nd password field. Suggesting WORKS FOR ME or something similar.
Assignee | ||
Comment 6•21 years ago
|
||
(not marking fixed after all, leaving that to someone else who can confirm what I said)
Comment 7•21 years ago
|
||
> The sub works right now okay in both modes, but if we add the change proposed in > item0, it will fail for calls that use only one param (you can grep the source > with grep -R "ValidatePassword" * in order to see the interfaces and their > utilization). Hmm, I don't see how checking for defined would break calls that only use one argument. It's practically what happens today -- when it's undefined it will evaluate as false -- except that when the password *is* supplied and is undef, it will validate (incorrectly). This bug is reproducible in CVS HEAD. It happens *only* in token.cgi, however, which means that you need to enter your email to request a change on the login page (it doesn't affect userprefs, which only uses one argument). Now that I look at it, it actually seems userprefs should also use the double-argument function, since it duplicates the check, doesn't it? We could clean that up..
Severity: trivial → normal
Summary: Password change accepted with blank second field → token.cgi password change accepted with blank second field
Assignee | ||
Updated•21 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Updated•20 years ago
|
OS: other → All
Hardware: Other → All
Assignee | ||
Comment 8•20 years ago
|
||
Assignee | ||
Updated•20 years ago
|
Attachment #142770 -
Flags: review?(kiko)
Comment 9•20 years ago
|
||
reproduced this on the 2.16 branch as well... I'll take this for 2.17.7 if it makes it, but it's my intention to release 2.17.7 before I sleep again if I can manage it ;)
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1]
Comment 10•20 years ago
|
||
Comment on attachment 142770 [details] [diff] [review] Version 1 Low-risk and nice! Please ensure that this works and doesn't regress anything (places to test are editusers.cgi password changing, userprefs.cgi password changing, and token.cgi password changing :-) The 2.16 branch could also use the globals.pl patch.. let's see what justdave says to that.
Attachment #142770 -
Flags: review?(kiko) → review+
Assignee | ||
Comment 11•20 years ago
|
||
Assignee | ||
Updated•20 years ago
|
Attachment #142782 -
Flags: review?(kiko)
Assignee | ||
Updated•20 years ago
|
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
Comment 12•20 years ago
|
||
Comment on attachment 142782 [details] [diff] [review] Backport for BUGZILLA-2_16-BRANCH How crufty that looks :-) (Same yadda yaddas apply to this patch, I can't do any testing today)
Attachment #142782 -
Flags: review?(kiko) → review+
Comment 13•20 years ago
|
||
Does this bug really go all the way back to 2.10?
Comment 14•20 years ago
|
||
Low-risk fixes for a mild dataloss/user annoyance problem.
Flags: approval?
Updated•20 years ago
|
Flags: approval? → approval+
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1] → [wanted for 2.16.5] [wanted for 2.17.7]
Assignee | ||
Comment 15•20 years ago
|
||
Checking in globals.pl; /cvsroot/mozilla/webtools/bugzilla/globals.pl,v <-- globals.pl new revision: 1.255; previous revision: 1.254 done Checking in userprefs.cgi; /cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi new revision: 1.52; previous revision: 1.51 done Checking in globals.pl; /cvsroot/mozilla/webtools/bugzilla/globals.pl,v <-- globals.pl new revision: 1.169.2.20; previous revision: 1.169.2.19 done Checking in userprefs.cgi; /cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v <-- userprefs.cgi new revision: 1.35.2.4; previous revision: 1.35.2.3 done
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Version: 2.10 → 2.16
Updated•20 years ago
|
Whiteboard: [wanted for 2.16.5] [wanted for 2.17.7] → [fixed in 2.16.5] [fixed in 2.17.7]
Version: 2.16 → 2.10
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•