From: lpsolit%gmail.com <>
Date: Mon, 5 May 2008 04:56:42 +0000 (+0000)
Subject: Bug 419188: [SECURITY] email_in.pl lets you set the changer as @reporter instead... 
X-Git-Tag: bugzilla-3.0.4~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5632e19c5681ffe14074c2bdfa90c4f639c96a67;p=thirdparty%2Fbugzilla.git

Bug 419188: [SECURITY] email_in.pl lets you set the changer as @reporter instead of only checking the "From" header - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
---

diff --git a/email_in.pl b/email_in.pl
index 0c97af36f4..576aed81ac 100644
--- a/email_in.pl
+++ b/email_in.pl
@@ -125,6 +125,16 @@ sub parse_mail {
             
             if ($line =~ /^@(\S+)\s*=\s*(.*)\s*/) {
                 $current_field = lc($1);
+                # It's illegal to pass the reporter field as you could
+                # override the "From:" field of the message and bypass
+                # authentication checks, such as PGP.
+                if ($current_field eq 'reporter') {
+                    # We reset the $current_field variable to something
+                    # post_bug and process_bug will ignore, in case the
+                    # attacker splits the reporter field on several lines.
+                    $current_field = 'illegal_field';
+                    next;
+                }
                 $fields{$current_field} = $2;
             }
             else {