From: Byron Jones <glob@mozilla.com>
Date: Thu, 4 Aug 2011 20:49:51 +0000 (+0200)
Subject: Bug 670868: (CVE-2011-2978) [SECURITY] Account preferences page trusts user-modifiabl... 
X-Git-Tag: bugzilla-3.4.12~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5f255e0eb67d2d8834ab13c72c7043eaf1f0f3bb;p=thirdparty%2Fbugzilla.git

Bug 670868: (CVE-2011-2978) [SECURITY] Account preferences page trusts user-modifiable field for obtaining current e-mail address
r/a=LpSolit
---

diff --git a/userprefs.cgi b/userprefs.cgi
index cffae38ccb..57bfcca5d9 100755
--- a/userprefs.cgi
+++ b/userprefs.cgi
@@ -120,7 +120,7 @@ sub SaveAccount {
         && Bugzilla->params->{"allowemailchange"}
         && $cgi->param('new_login_name'))
     {
-        my $old_login_name = $cgi->param('Bugzilla_login');
+        my $old_login_name = $user->login;
         my $new_login_name = trim($cgi->param('new_login_name'));
 
         if($old_login_name ne $new_login_name) {