Bug 395632: [SECURITY] XML-RPC WebService Bugzilla::User::offer_account_by_email…

Bug 395632: [SECURITY] XML-RPC WebService Bugzilla::User::offer_account_by_email does not check createemailregexp Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, r=Wurblzap, a=mkanat

Bug 395632: [SECURITY] XML-RPC WebService Bugzilla::User::offer_account_by_email…
052c5ebc · mkanat%bugzilla.org · 4b96e2ef · 052c5ebc · 052c5ebc
Commit 052c5ebc authored Sep 19, 2007 by mkanat%bugzilla.org
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 0 deletions

Constants.pm Bugzilla/WebService/Constants.pm +2 -0

User.pm Bugzilla/WebService/User.pm +8 -0

No files found.
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -83,6 +83,8 @@ use constant WS_ERROR_CODE => {
    # User errors are 500-600.
    account_exists        => 500,
    illegal_email_address => 501,
+    account_creation_disabled   => 501,
+    account_creation_restricted => 501,
    password_too_short    => 502,
    password_too_long     => 503,
    invalid_username      => 504,

--- a/Bugzilla/WebService/User.pm
+++ b/Bugzilla/WebService/User.pm
@@ -74,6 +74,14 @@ sub offer_account_by_email {
    my $email = trim($params->{email})
        || ThrowCodeError('param_required', { param => 'email' });

+    my $createexp = Bugzilla->params->{'createemailregexp'};
+    if (!$createexp) {
+        ThrowUserError("account_creation_disabled");
+    }
+    elsif ($email !~ /$createexp/) {
+        ThrowUserError("account_creation_restricted");
+    }
+
    $email = Bugzilla::User->check_login_name_for_creation($email);

    # Create and send a token for this new account.