Closed Bug 123077 Opened 23 years ago Closed 20 years ago

token.cgi password change accepted with blank second field

Categories

(Bugzilla :: User Accounts, defect, P2)

Product:
Bugzilla
Component:
User Accounts
Version:
2.16.4
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: gm+bmo, Assigned: goobix)

References

Details

(Whiteboard: [fixed in 2.16.5] [fixed in 2.17.7])

Attachments

(2 files)

Version 1
1.32 KB, patch
kiko
: review+
Details | Diff | Splinter Review
Backport for BUGZILLA-2_16-BRANCH
1.69 KB, patch
kiko
: review+
Details | Diff | Splinter Review 
If a user goes to change his/her password and leaves the second password field blank, Bugzilla will change the user's password to the contents of the first field.
Reccomend changing line 838 of globals.pl (ValidatePassword function) from
   elsif ( $matchpassword && ...)
to
   elsif ( defined($matchpassword) && ...)
Severity: trivial → normal
Priority: -- → P2
Target Milestone: --- → Bugzilla 2.18
Zippy's QA just duplicated this....
*** Bug 210967 has been marked as a duplicate of this bug. ***
Vladd, this one may interest you :)
Sure.
Assignee: myk → jocuri
Severity: normal → trivial
I can't reproduce this on landfill, marking fixed.

There are 2 interfaces for ValidatePassword in globals.pl, with one and
respectively 2 params. The sub works right now okay in both modes, but if we add
the change proposed in item0, it will fail for calls that use only one param
(you can grep the source with grep -R "ValidatePassword" * in order to see the
interfaces and their utilization).

In userprefs.cgi we have:

($pwd1 eq $pwd2) || ThrowUserError("passwords_dont_match");
$::FORM{'new_password1'} || ThrowUserError("new_password_missing");
ValidatePassword($pwd1);

which assures that we check for non-empty password on the 2nd password field.

Suggesting WORKS FOR ME or something similar.
(not marking fixed after all, leaving that to someone else who can confirm what
I said)
> The sub works right now okay in both modes, but if we add the change proposed
in > item0, it will fail for calls that use only one param (you can grep the source 
> with grep -R "ValidatePassword" * in order to see the interfaces and their 
> utilization).

Hmm, I don't see how checking for defined would break calls that only use one
argument. It's practically what happens today -- when it's undefined it will
evaluate as false -- except that when the password *is* supplied and is undef,
it will validate (incorrectly).

This bug is reproducible in CVS HEAD. It happens *only* in token.cgi, however,
which means that you need to enter your email to request a change on the login
page (it doesn't affect userprefs, which only uses one argument).

Now that I look at it, it actually seems userprefs should also use the
double-argument function, since it duplicates the check, doesn't it? We could
clean that up..
Severity: trivial → normal
Summary: Password change accepted with blank second field → token.cgi password change accepted with blank second field
Status: NEW → ASSIGNED
OS: other → All
Hardware: Other → All
Attached patch Version 1Splinter Review 

    
  

        Attachment #142770 -
        Flags: review?(kiko)

    
    

    
  
reproduced this on the 2.16 branch as well...  I'll take this for 2.17.7 if it
makes it, but it's my intention to release 2.17.7 before I sleep again if I can
manage it ;)
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1]

    
    

    
  
Comment on attachment 142770 [details] [diff] [review]
Version 1

Low-risk and nice!

Please ensure that this works and doesn't regress anything (places to test are
editusers.cgi password changing, userprefs.cgi password changing, and token.cgi
password changing :-)

The 2.16 branch could also use the globals.pl patch.. let's see what justdave
says to that.

        Attachment #142770 -
        Flags: review?(kiko) → review+

    
    

    
  


  

    
  

        Attachment #142782 -
        Flags: review?(kiko)

    
  
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16

    
    

    
  
Comment on attachment 142782 [details] [diff] [review]
Backport for BUGZILLA-2_16-BRANCH

How crufty that looks :-)

(Same yadda yaddas apply to this patch, I can't do any testing today)

        Attachment #142782 -
        Flags: review?(kiko) → review+

    
    

    
  
Does this bug really go all the way back to 2.10?

    
    

    
  
Low-risk fixes for a mild dataloss/user annoyance problem.
Flags: approval?
Flags: approval? → approval+
Whiteboard: [wanted for 2.16.6] [wanted for 2.18rc1] → [wanted for 2.16.5] [wanted for 2.17.7]

    
    

    
  
Checking in globals.pl;
/cvsroot/mozilla/webtools/bugzilla/globals.pl,v  <--  globals.pl
new revision: 1.255; previous revision: 1.254
done
Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.52; previous revision: 1.51
done

Checking in globals.pl;
/cvsroot/mozilla/webtools/bugzilla/globals.pl,v  <--  globals.pl
new revision: 1.169.2.20; previous revision: 1.169.2.19
done
Checking in userprefs.cgi;
/cvsroot/mozilla/webtools/bugzilla/userprefs.cgi,v  <--  userprefs.cgi
new revision: 1.35.2.4; previous revision: 1.35.2.3
done
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Version: 2.10 → 2.16
Whiteboard: [wanted for 2.16.5] [wanted for 2.17.7] → [fixed in 2.16.5] [fixed in 2.17.7]
Version: 2.16 → 2.10

    
    

    
  
err... didn't mean to do that
Version: 2.10 → 2.16.4
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: