From: mkanat%bugzilla.org <>
Date: Wed, 19 Sep 2007 04:28:30 +0000 (+0000)
Subject: Bug 395632: [SECURITY] XML-RPC WebService Bugzilla::User::offer_account_by_email... 
X-Git-Tag: bugzilla-3.1.2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=052c5ebc181807287a6c9d972dbed7405cd00ef2;p=thirdparty%2Fbugzilla.git

Bug 395632: [SECURITY] XML-RPC WebService Bugzilla::User::offer_account_by_email does not check createemailregexp
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, r=Wurblzap, a=mkanat
---

diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 43e4c1c8ea..139ec1b7b9 100755
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -83,6 +83,8 @@ use constant WS_ERROR_CODE => {
     # User errors are 500-600.
     account_exists        => 500,
     illegal_email_address => 501,
+    account_creation_disabled   => 501,
+    account_creation_restricted => 501,
     password_too_short    => 502,
     password_too_long     => 503,
     invalid_username      => 504,
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index db02ff75ae..f839e2a9d4 100755
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -74,6 +74,14 @@ sub offer_account_by_email {
     my $email = trim($params->{email})
         || ThrowCodeError('param_required', { param => 'email' });
 
+    my $createexp = Bugzilla->params->{'createemailregexp'};
+    if (!$createexp) {
+        ThrowUserError("account_creation_disabled");
+    }
+    elsif ($email !~ /$createexp/) {
+        ThrowUserError("account_creation_restricted");
+    }
+
     $email = Bugzilla::User->check_login_name_for_creation($email);
 
     # Create and send a token for this new account.