diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2010-08-04 23:41:02 +0200 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2010-08-04 23:41:02 +0200 |
commit | 2ea4b3d38e8a012f61d20e6831daaf06493c3d95 (patch) | |
tree | 417fb44234468b46c3cbbf8659173e68161d9680 /Bugzilla.pm | |
parent | Bug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me query for users ... (diff) | |
download | bugzilla-2ea4b3d38e8a012f61d20e6831daaf06493c3d95.tar.gz bugzilla-2ea4b3d38e8a012f61d20e6831daaf06493c3d95.tar.bz2 bugzilla-2ea4b3d38e8a012f61d20e6831daaf06493c3d95.zip |
Bug 450013: (CVE-2010-2757) [SECURITY] Can sudo a user without sending email
r=glob a=LpSolit
Diffstat (limited to 'Bugzilla.pm')
-rw-r--r-- | Bugzilla.pm | 49 |
1 files changed, 32 insertions, 17 deletions
diff --git a/Bugzilla.pm b/Bugzilla.pm index 6ecbc27db..d97049678 100644 --- a/Bugzilla.pm +++ b/Bugzilla.pm @@ -51,10 +51,12 @@ use Bugzilla::Error; use Bugzilla::Util; use Bugzilla::Field; use Bugzilla::Flag; +use Bugzilla::Token; use File::Basename; use File::Spec::Functions; use DateTime::TimeZone; +use Date::Parse; use Safe; ##################################################################### @@ -341,24 +343,37 @@ sub login { # 3: There must be a valid value in the 'sudo' cookie # 4: A Bugzilla::User object must exist for the given cookie value # 5: That user must NOT be in the 'bz_sudo_protect' group - my $sudo_cookie = $class->cgi->cookie('sudo'); - detaint_natural($sudo_cookie) if defined($sudo_cookie); - my $sudo_target; - $sudo_target = new Bugzilla::User($sudo_cookie) if defined($sudo_cookie); - if (defined($authenticated_user) && - $authenticated_user->in_group('bz_sudoers') && - defined($sudo_cookie) && - defined($sudo_target) && - !($sudo_target->in_group('bz_sudo_protect')) - ) - { - $class->set_user($sudo_target); - $class->request_cache->{sudoer} = $authenticated_user; - # And make sure that both users have the same Auth object, - # since we never call Auth::login for the sudo target. - $sudo_target->set_authorizer($authenticated_user->authorizer); + my $token = $class->cgi->cookie('sudo'); + if (defined $authenticated_user && $token) { + my ($user_id, $date, $sudo_target_id) = Bugzilla::Token::GetTokenData($token); + if (!$user_id + || $user_id != $authenticated_user->id + || !detaint_natural($sudo_target_id) + || (time() - str2time($date) > MAX_SUDO_TOKEN_AGE)) + { + $class->cgi->remove_cookie('sudo'); + ThrowUserError('sudo_invalid_cookie'); + } + + my $sudo_target = new Bugzilla::User($sudo_target_id); + if ($authenticated_user->in_group('bz_sudoers') + && defined $sudo_target + && !$sudo_target->in_group('bz_sudo_protect')) + { + $class->set_user($sudo_target); + $class->request_cache->{sudoer} = $authenticated_user; + # And make sure that both users have the same Auth object, + # since we never call Auth::login for the sudo target. + $sudo_target->set_authorizer($authenticated_user->authorizer); - # NOTE: If you want to do any special logging, do it here. + # NOTE: If you want to do any special logging, do it here. + } + else { + delete_token($token); + $class->cgi->remove_cookie('sudo'); + ThrowUserError('sudo_illegal_action', { sudoer => $authenticated_user, + target_user => $sudo_target }); + } } else { $class->set_user($authenticated_user); |