From: Byron Jones <glob@mozilla.com>
Date: Thu, 4 Aug 2011 20:46:53 +0000 (+0200)
Subject: Bug 670868: (CVE-2011-2978) [SECURITY] Account preferences page trusts user-modifiabl... 
X-Git-Tag: bugzilla-4.0.2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5dfd38740a939f0e3b315ce5b5253285b9a01474;p=thirdparty%2Fbugzilla.git

Bug 670868: (CVE-2011-2978) [SECURITY] Account preferences page trusts user-modifiable field for obtaining current e-mail address
r/a=LpSolit
---

diff --git a/userprefs.cgi b/userprefs.cgi
index 8be6bcdfc8..cd5b158f0b 100755
--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -84,7 +84,7 @@ sub SaveAccount {
     my $pwd1 = $cgi->param('new_password1');
     my $pwd2 = $cgi->param('new_password2');
 
-    my $old_login_name = $cgi->param('old_login');
+    my $old_login_name = $user->login;
     my $new_login_name = trim($cgi->param('new_login_name'));
 
     if ($user->authorizer->can_change_password