Closed
Bug 297794
Opened 20 years ago
Closed 20 years ago
initBug's verification of user_id being an email is bogus
Categories
(Bugzilla :: Creating/Changing Bugs, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.20
People
(Reporter: kiko, Assigned: timello)
Details
Attachments
(1 file, 1 obsolete file)
|
934 bytes,
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
So initBug's verification of user_id being an email is bogus:
unless (defined $user_id) {
$user_id = 0;
}
else {
if ($user_id =~ /^\@/) {
$user_id = &::DBname_to_id($user_id);
}
}
This is slightly outdated, but no email starts with an @ sign. Patch in hand.
|
Reporter | |
Comment 1•20 years ago
|
||
The rest is cosmetics.
Attachment #186336 -
Flags: review?(LpSolit)
|
||
Comment 2•20 years ago
|
||
Comment on attachment 186336 [details] [diff] [review] kiko_v1: the important part is s/^// >+ } elsif ($user_id =~ /\@/) { >+ $user_id = login_to_id($user_id); > } > > $self->{'who'} = new Bugzilla::User($user_id); This does not help, because I could set Param('emailsuffix') to '@my_company.com' and $user_id would be something like 'my_username'. Then new Bugzilla::User($user_id) would fail because of an invalid $user_id. Why not testing if $user_id is numerical using if (!detaint_natural()) {login_to_id()} ? Adding a comment specifying that the login name, not the full email address, is required would be fine too.
Attachment #186336 -
Flags: review?(LpSolit) → review-
|
Assignee | |
Comment 3•20 years ago
|
||
Attachment #186488 -
Flags: review?(LpSolit)
|
|
Reporter | |
Comment 4•20 years ago
|
||
Comment on attachment 186488 [details] [diff] [review] v2_timello: detaint_natural instead I don't really like stored_user_id, but I see why we need it and it does avoid some redundant code. I am more concerned, however, with login_to_id(). That function returns zero if the login supplied doesn't exist, but I think we should explicitly raise an error in that case -- I don't like us silently failing here because it can mask other errors. How about doing a ThrowUserError("invalid_username") if !$user_id inside that elsif?
|
|
||
Comment 5•20 years ago
|
||
Comment on attachment 186488 [details] [diff] [review] v2_timello: detaint_natural instead kiko, you say it's unsafe to let a user with an invalid login name to go through. But the code actually does not check that $user_id, if numeric, is valid either. This is part of another bug IMO.
Attachment #186488 -
Flags: review?(LpSolit) → review+
|
|
||
Updated•20 years ago
|
Status: NEW → ASSIGNED
Flags: approval?
OS: Linux → All
Hardware: PC → All
Target Milestone: --- → Bugzilla 2.20
Version: unspecified → 2.19.3
|
||
Comment 6•20 years ago
|
||
> I am more concerned, however, with login_to_id(). That function returns zero > if the login supplied doesn't exist, but I think we should explicitly raise > an error in that case -- I don't like us silently failing here because it > can mask other errors. Yeah, we should stop doing such things. > How about doing a ThrowUserError("invalid_username") if !$user_id inside that elsif? Our other option is to return undef. In practice, some situations will probably call for one, while others will call for the other. a=myk for check in during 2.20 freeze.
Flags: approval? → approval+
|
|
||
Updated•20 years ago
|
Attachment #186336 -
Attachment is obsolete: true
|
|
||
Updated•20 years ago
|
Assignee: kiko → timello
Status: ASSIGNED → NEW
|
|
||
Comment 7•20 years ago
|
||
Checking in Bugzilla/Bug.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/Bug.pm,v <-- Bug.pm new revision: 1.78; previous revision: 1.77 done
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•