From: Reed Loden <reed@reedloden.com>
Date: Tue, 13 Dec 2011 22:26:45 +0000 (-0800)
Subject: Bug 705474 - CSRF vulnerability in createaccount.cgi allows possible unauthorized... 
X-Git-Tag: bugzilla-4.3.1~166
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc86e1bc247787a6dd28f4604b93e08415ecd4fb;p=thirdparty%2Fbugzilla.git

Bug 705474 - CSRF vulnerability in createaccount.cgi allows possible unauthorized account creation e-mail request
[r=mkanat a=mkanat]
---

diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 36b3b070f1..a85dcc1f41 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -176,9 +176,14 @@ sub issue_hash_token {
     $data ||= [];
     $time ||= time();
 
+    # For the user ID, use the actual ID if the user is logged in.
+    # Otherwise, use the remote IP, in case this is for something
+    # such as creating an account or logging in.
+    my $user_id = Bugzilla->user->id || remote_ip();
+
     # The concatenated string is of the form
-    # token creation time + site-wide secret + user ID + data
-    my @args = ($time, Bugzilla->localconfig->{'site_wide_secret'}, Bugzilla->user->id, @$data);
+    # token creation time + site-wide secret + user ID (either ID or remote IP) + data
+    my @args = ($time, Bugzilla->localconfig->{'site_wide_secret'}, $user_id, @$data);
 
     my $token = join('*', @args);
     # Wide characters cause md5_hex() to die.
diff --git a/createaccount.cgi b/createaccount.cgi
index d0437a0211..90530b3c59 100755
--- a/createaccount.cgi
+++ b/createaccount.cgi
@@ -62,6 +62,11 @@ unless ($createexp) {
 my $login = $cgi->param('login');
 
 if (defined($login)) {
+    # Check the hash token to make sure this user actually submitted
+    # the create account form.
+    my $token = $cgi->param('token');
+    check_hash_token($token, ['create_account']);
+
     $login = Bugzilla::User->check_login_name_for_creation($login);
     $vars->{'login'} = $login;
 
diff --git a/template/en/default/account/create.html.tmpl b/template/en/default/account/create.html.tmpl
index bf273e459e..a2a2e9fc6e 100644
--- a/template/en/default/account/create.html.tmpl
+++ b/template/en/default/account/create.html.tmpl
@@ -71,6 +71,7 @@
     </tr>
   </table>
   <br>
+  <input type="hidden" id="token" name="token" value="[% issue_hash_token(['create_account']) FILTER html %]">
   <input type="submit" id="send" value="Send">
 </form>