From: David Lawrence Date: Fri, 20 Jan 2023 15:58:25 +0000 (-0500) Subject: Bug 1811297 - Full Account Takeover on BMO using Github authentication X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=07475c66f6bdc8f7b19d23c5f0c57b0bbd5bd055;p=thirdparty%2Fbugzilla.git Bug 1811297 - Full Account Takeover on BMO using Github authentication --- diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index d98c3f3fb..7ae4f6897 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -155,7 +155,19 @@ sub new { $_[0] = $param; } } - return $class->SUPER::new(@_); + + $user = $class->SUPER::new(@_); + + # MySQL considers some non-ascii characters such as umlauts to equal + # ascii characters returning a user when it should not. + if ($user && ref $param eq 'HASH' && exists $param->{name}) { + my $login = $param->{name}; + if (lc $login ne lc $user->login) { + $user = undef; + } + } + + return $user; } sub super_user { diff --git a/extensions/GitHubAuth/lib/Login.pm b/extensions/GitHubAuth/lib/Login.pm index 15d0cdd4b..e1f61a6d7 100644 --- a/extensions/GitHubAuth/lib/Login.pm +++ b/extensions/GitHubAuth/lib/Login.pm @@ -17,7 +17,7 @@ use fields qw(github_failure); use Scalar::Util qw(blessed); use Bugzilla::Constants qw(AUTH_NODATA AUTH_ERROR USAGE_MODE_BROWSER); -use Bugzilla::Util qw(generate_random_password); +use Bugzilla::Util qw(generate_random_password validate_email_syntax); use Bugzilla::Token qw(issue_short_lived_session_token set_token_extra_data); use List::MoreUtils qw(any); use Bugzilla::Extension::GitHubAuth::Client; @@ -102,9 +102,15 @@ sub _get_login_info_from_github { grep { $_->{verified} && $_->{email} !~ /\@users\.noreply\.github\.com$/ } @$emails; + # Validate each email address similar to if we were creating the account locally + my @valid_emails; + foreach my $email (@emails) { + push @valid_emails, $email if validate_email_syntax($email); + } + my @bugzilla_users; my @github_emails; - foreach my $email (@emails) { + foreach my $email (@valid_emails) { my $user = Bugzilla::User->new({name => $email, cache => 1}); if ($user) { push @bugzilla_users, $user;