Skip to content

bugzilla
bugzilla
Commit 7fda8c35 authored by mkanat%bugzilla.org's avatar mkanat%bugzilla.org
Browse files
Options

Bug 508189: (CVE-2009-3166) [SECURITY] Logging in after changing your password…

Bug 508189: (CVE-2009-3166) [SECURITY] Logging in after changing your password would expose your new password in the URL Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=mkanat
parent cb23c7f7
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 0 deletions
token.cgi
View file @ 7fda8c35
...@@ -130,6 +130,8 @@ if ( $action eq 'chgpw' ) { ...@@ -130,6 +130,8 @@ if ( $action eq 'chgpw' ) {
|| ThrowUserError("require_new_password"); || ThrowUserError("require_new_password");
validate_password($password, $cgi->param('matchpassword')); validate_password($password, $cgi->param('matchpassword'));
# Make sure that these never show up in the UI under any circumstances.
$cgi->delete('password', 'matchpassword');
} }
################################################################################ ################################################################################
...@@ -378,6 +380,8 @@ sub confirm_create_account { ...@@ -378,6 +380,8 @@ sub confirm_create_account {
my $password = $cgi->param('passwd1') || ''; my $password = $cgi->param('passwd1') || '';
validate_password($password, $cgi->param('passwd2') || ''); validate_password($password, $cgi->param('passwd2') || '');
# Make sure that these never show up anywhere in the UI.
$cgi->delete('passwd1', 'passwd2');
my $otheruser = Bugzilla::User->create({ my $otheruser = Bugzilla::User->create({
login_name => $login_name, login_name => $login_name,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment