Bug 395632: [SECURITY] XML-RPC WebService Bugzilla::User::offer_account_by_email...

Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, r=Wurblzap, a=mkanat

diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 43e4c1c8eae6eb2eb2731731bba85ac515acb200..139ec1b7b9b53b353051c44337d52d730d367529 100755 (executable)
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -83,6 +83,8 @@ use constant WS_ERROR_CODE => {
     # User errors are 500-600.
     account_exists        => 500,
     illegal_email_address => 501,
+    account_creation_disabled   => 501,
+    account_creation_restricted => 501,
     password_too_short    => 502,
     password_too_long     => 503,
     invalid_username      => 504,

diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index db02ff75ae65f6d04d1fc6f1869c0992add7c10f..f839e2a9d4841c3dcea5176cec2b714c02734780 100755 (executable)
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -74,6 +74,14 @@ sub offer_account_by_email {
     my $email = trim($params->{email})
         || ThrowCodeError('param_required', { param => 'email' });
 
+    my $createexp = Bugzilla->params->{'createemailregexp'};
+    if (!$createexp) {
+        ThrowUserError("account_creation_disabled");
+    }
+    elsif ($email !~ /$createexp/) {
+        ThrowUserError("account_creation_restricted");
+    }
+
     $email = Bugzilla::User->check_login_name_for_creation($email);
 
     # Create and send a token for this new account.