aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2010-08-04 23:41:02 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2010-08-04 23:41:02 +0200
commit2ea4b3d38e8a012f61d20e6831daaf06493c3d95 (patch)
tree417fb44234468b46c3cbbf8659173e68161d9680 /Bugzilla.pm
parentBug 417048: (CVE-2010-2756) [SECURITY] Boolean charts let me query for users ... (diff)
downloadbugzilla-2ea4b3d38e8a012f61d20e6831daaf06493c3d95.tar.gz
bugzilla-2ea4b3d38e8a012f61d20e6831daaf06493c3d95.tar.bz2
bugzilla-2ea4b3d38e8a012f61d20e6831daaf06493c3d95.zip
Bug 450013: (CVE-2010-2757) [SECURITY] Can sudo a user without sending email
r=glob a=LpSolit
Diffstat (limited to 'Bugzilla.pm')
-rw-r--r--Bugzilla.pm49
1 files changed, 32 insertions, 17 deletions
diff --git a/Bugzilla.pm b/Bugzilla.pm
index 6ecbc27db..d97049678 100644
--- a/Bugzilla.pm
+++ b/Bugzilla.pm
@@ -51,10 +51,12 @@ use Bugzilla::Error;
use Bugzilla::Util;
use Bugzilla::Field;
use Bugzilla::Flag;
+use Bugzilla::Token;
use File::Basename;
use File::Spec::Functions;
use DateTime::TimeZone;
+use Date::Parse;
use Safe;
#####################################################################
@@ -341,24 +343,37 @@ sub login {
# 3: There must be a valid value in the 'sudo' cookie
# 4: A Bugzilla::User object must exist for the given cookie value
# 5: That user must NOT be in the 'bz_sudo_protect' group
- my $sudo_cookie = $class->cgi->cookie('sudo');
- detaint_natural($sudo_cookie) if defined($sudo_cookie);
- my $sudo_target;
- $sudo_target = new Bugzilla::User($sudo_cookie) if defined($sudo_cookie);
- if (defined($authenticated_user) &&
- $authenticated_user->in_group('bz_sudoers') &&
- defined($sudo_cookie) &&
- defined($sudo_target) &&
- !($sudo_target->in_group('bz_sudo_protect'))
- )
- {
- $class->set_user($sudo_target);
- $class->request_cache->{sudoer} = $authenticated_user;
- # And make sure that both users have the same Auth object,
- # since we never call Auth::login for the sudo target.
- $sudo_target->set_authorizer($authenticated_user->authorizer);
+ my $token = $class->cgi->cookie('sudo');
+ if (defined $authenticated_user && $token) {
+ my ($user_id, $date, $sudo_target_id) = Bugzilla::Token::GetTokenData($token);
+ if (!$user_id
+ || $user_id != $authenticated_user->id
+ || !detaint_natural($sudo_target_id)
+ || (time() - str2time($date) > MAX_SUDO_TOKEN_AGE))
+ {
+ $class->cgi->remove_cookie('sudo');
+ ThrowUserError('sudo_invalid_cookie');
+ }
+
+ my $sudo_target = new Bugzilla::User($sudo_target_id);
+ if ($authenticated_user->in_group('bz_sudoers')
+ && defined $sudo_target
+ && !$sudo_target->in_group('bz_sudo_protect'))
+ {
+ $class->set_user($sudo_target);
+ $class->request_cache->{sudoer} = $authenticated_user;
+ # And make sure that both users have the same Auth object,
+ # since we never call Auth::login for the sudo target.
+ $sudo_target->set_authorizer($authenticated_user->authorizer);
- # NOTE: If you want to do any special logging, do it here.
+ # NOTE: If you want to do any special logging, do it here.
+ }
+ else {
+ delete_token($token);
+ $class->cgi->remove_cookie('sudo');
+ ThrowUserError('sudo_illegal_action', { sudoer => $authenticated_user,
+ target_user => $sudo_target });
+ }
}
else {
$class->set_user($authenticated_user);