Bug 670868: (CVE-2011-2978) [SECURITY] Account preferences page trusts user-modifiabl...

r/a=LpSolit

diff --git a/userprefs.cgi b/userprefs.cgi
index 009361324ae5a7a27be1b2ca1feeb9d025f1ad69..f411326a241b7ba1f16d9c4ae0ed069ddb939cfb 100755 (executable)
--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -85,7 +85,7 @@ sub SaveAccount {
     my $pwd1 = $cgi->param('new_password1');
     my $pwd2 = $cgi->param('new_password2');
 
-    my $old_login_name = $cgi->param('old_login');
+    my $old_login_name = $user->login;
     my $new_login_name = trim($cgi->param('new_login_name'));
 
     if ($user->authorizer->can_change_password