Bug 670868: (CVE-2011-2978) [SECURITY] Account preferences page trusts user-modifiable field for obtaining current e-mail address

r/a=LpSolit git-svn-id: svn://10.0.0.236/branches/BUGZILLA-3_4-BRANCH@262586 18797224-902f-48f8-a5cc-f745e15eee43
2011-08-04 21:06:12 +00:00 · 2011-08-04 21:06:12 +00:00 · e2c29f672f
commit e2c29f672f
parent 586f6e4005
2 changed files with 2 additions and 2 deletions
--- a/mozilla/webtools/bugzilla/.bzrrev
+++ b/mozilla/webtools/bugzilla/.bzrrev
@ -1 +1 @@
-6807
+6808
--- a/mozilla/webtools/bugzilla/userprefs.cgi
+++ b/mozilla/webtools/bugzilla/userprefs.cgi
@ -120,7 +120,7 @@ sub SaveAccount {
        && Bugzilla->params->{"allowemailchange"}
        && $cgi->param('new_login_name'))
    {
-        my $old_login_name = $cgi->param('Bugzilla_login');
+        my $old_login_name = $user->login;
        my $new_login_name = trim($cgi->param('new_login_name'));

        if($old_login_name ne $new_login_name) {