Closed Bug 136506 Opened 21 years ago Closed 21 years ago

can't create new accounts cvs tip 4/8/02

Categories

(Bugzilla :: User Accounts, defect, P1)

defect

Tracking

()

RESOLVED FIXED
Bugzilla 2.16

People

(Reporter: daa, Assigned: myk)

Details

(Keywords: regression)

Attachments

(1 file)

using:
http://n0cgi.distributed.net/bugs/createaccount.cgi?login=foo%40bar.com&realname=foo+bar

cvs tip bugzilla returns:

Content-type: text/html 

Software error:

Attempted to send tainted string 'SELECT eventdata FROM tokens WHERE tokentype =
'emailold' AND eventdata like
'%:foo@bar.com' OR eventdata like 'foo@bar.com:%'' to the database at globals.pl
line 260.
This is a 2.16 blocker, I'd guess. Without having actually tested this, does
validateNewUser need to do some escaping (and where does that code deal with
stopping someone from hijacking the new email address?)

John, this would be your stuff, I assume
Keywords: regression
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
I found it necessary in userprefs.cgi to add trick_taint($login) after
CheckEmailSyntax($login) to avoid a taint error in ValidateNewUser. 
ValidateNewUser does not currently check email syntax, as most invocations have
already done this (and CheckEmailSyntax is in CGI.pl).

Long term, ValidateNewUser should call CheckEmailSyntax and return useful error
messages to be displayed to the user.

The code to avoid new email addresses being hijacked is ValidateNewUser.  It
checks there are no tokens with the specified address (pending changes, or
addresses still able to be reverted) and uses DBname_to_id to check against
current users.
Attached patch quick fixSplinter Review
quick fix - add trick taint to createaccount.cgi
Comment on attachment 78670 [details] [diff] [review]
quick fix

diff -u, please
Attachment #78670 - Flags: review-
I can't reproduce this; can anyone else?
I can reproduce this, which may indicate this is similar to bug 134562.
I'll see if I can work out what is going on later tonight.
Comment on attachment 78670 [details] [diff] [review]
quick fix

Fixes the problem on perl 5.005, continues to work on perl 5.6, trivial fix/low
risk, 2x r=myk
Attachment #78670 - Flags: review-
Attachment #78670 - Flags: review+
Keywords: patch, review
Checking in createaccount.cgi;
/cvsroot/mozilla/webtools/bugzilla/createaccount.cgi,v  <--  createaccount.cgi
new revision: 1.19; previous revision: 1.18
done
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.