From: mkanat%bugzilla.org <>
Date: Wed, 19 Sep 2007 04:30:20 +0000 (+0000)
Subject: Bug 395632: [SECURITY] XML-RPC WebService Bugzilla::User::offer_account_by_email... 
X-Git-Tag: bugzilla-3.0.2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ad8836ddccaf0599a4701f5a505d11572416c8eb;p=thirdparty%2Fbugzilla.git

Bug 395632: [SECURITY] XML-RPC WebService Bugzilla::User::offer_account_by_email does not check createemailregexp
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=mkanat
---

diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 5e255d4be3..0b73114dfb 100755
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -84,6 +84,7 @@ use constant WS_ERROR_CODE => {
     # User errors are 500-600.
     account_exists        => 500,
     illegal_email_address => 501,
+    account_creation_disabled   => 501,
     password_too_short    => 502,
     password_too_long     => 503,
     invalid_username      => 504,
diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm
index db02ff75ae..12ca0a4ce1 100755
--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -74,6 +74,11 @@ sub offer_account_by_email {
     my $email = trim($params->{email})
         || ThrowCodeError('param_required', { param => 'email' });
 
+    my $createexp = Bugzilla->params->{'createemailregexp'};
+    if (!$createexp || $email !~ /$createexp/) {
+        ThrowUserError("account_creation_disabled");
+    }
+
     $email = Bugzilla::User->check_login_name_for_creation($email);
 
     # Create and send a token for this new account.