IssueEmailChangeToken() should get the old login name from the user object

RESOLVED FIXED in Bugzilla 4.2

Status

()

Bugzilla
User Accounts
--
enhancement
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

4.1.3
Bugzilla 4.2
Bug Flags:
approval +
approval4.2 +

Details

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
Created attachment 551741 [details] [diff] [review]
patch, v1

See bug 670868 comment 13:
"we should fix Bugzilla::Token::IssueEmailChangeToken() to only get ($user, $new_email) as arguments, and get $old_email from $user->login, instead of passing $old_email as we currently do. This would also prevent this abuse. But this should only be done on trunk (even 4.2), as a security enhancement."
Attachment #551741 - Flags: review?(glob)
(Assignee)

Updated

6 years ago
Attachment #551741 - Flags: review?(glob) → review?(timello)
Comment on attachment 551741 [details] [diff] [review]
patch, v1

It looks good for me.
Attachment #551741 - Flags: review?(timello) → review+

Updated

6 years ago
Flags: approval?
(Assignee)

Updated

6 years ago
Flags: approval?
Flags: approval4.2+
Flags: approval+
(Assignee)

Comment 2

6 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified userprefs.cgi
modified Bugzilla/Token.pm
Committed revision 7937.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified userprefs.cgi
modified Bugzilla/Token.pm
Committed revision 7910.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.