From 8dd0e8193d51f243b547cc0f4f21f5b3a1375ff2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Wed, 18 Apr 2012 18:44:32 +0200 Subject: Bug 728639: (CVE-2012-0465) [SECURITY] User lockout policy can be bypassed by altering the X-FORWARDED-FOR header r=glob a=LpSolit --- Bugzilla/Config/Common.pm | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'Bugzilla/Config/Common.pm') diff --git a/Bugzilla/Config/Common.pm b/Bugzilla/Config/Common.pm index 6433e55ce..0e3551d13 100644 --- a/Bugzilla/Config/Common.pm +++ b/Bugzilla/Config/Common.pm @@ -23,7 +23,7 @@ use base qw(Exporter); qw(check_multi check_numeric check_regexp check_url check_group check_sslbase check_priority check_severity check_platform check_opsys check_shadowdb check_urlbase check_webdotbase - check_user_verify_class + check_user_verify_class check_ip check_mail_delivery_method check_notification check_utf8 check_bug_status check_smtp_auth check_theschwartz_available check_maxattachmentsize check_email check_smtp_ssl @@ -104,6 +104,15 @@ sub check_sslbase { return ""; } +sub check_ip { + my $inbound_proxies = shift; + my @proxies = split(/[\s,]+/, $inbound_proxies); + foreach my $proxy (@proxies) { + validate_ip($proxy) || return "$proxy is not a valid IPv4 or IPv6 address"; + } + return ""; +} + sub check_utf8 { my $utf8 = shift; # You cannot turn off the UTF-8 parameter if you've already converted -- cgit v1.2.1