From fd87911bb05e072c61628bd313579d06e95f2525 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Mon, 5 May 2008 04:55:06 +0000
Subject: =?UTF-8?q?Bug=20419188:=20[SECURITY]=20email=5Fin.pl=20lets=20you?=
 =?UTF-8?q?=20set=20the=20changer=20as=20@reporter=20instead=20of=20only?=
 =?UTF-8?q?=20checking=20the=20"From"=20header=20-=20Patch=20by=20Fr=C3=83?=
 =?UTF-8?q?=C2=A9d=C3=83=C2=A9ric=20Buclin=20<LpSolit@gmail.com>=20r=3Dmka?=
 =?UTF-8?q?nat=20a=3DLpSolit?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 email_in.pl | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'email_in.pl')

diff --git a/email_in.pl b/email_in.pl
index 864bdee7f..81637ebc4 100644
--- a/email_in.pl
+++ b/email_in.pl
@@ -106,6 +106,16 @@ sub parse_mail {
             
             if ($line =~ /^@(\S+)\s*=\s*(.*)\s*/) {
                 $current_field = lc($1);
+                # It's illegal to pass the reporter field as you could
+                # override the "From:" field of the message and bypass
+                # authentication checks, such as PGP.
+                if ($current_field eq 'reporter') {
+                    # We reset the $current_field variable to something
+                    # post_bug and process_bug will ignore, in case the
+                    # attacker splits the reporter field on several lines.
+                    $current_field = 'illegal_field';
+                    next;
+                }
                 $fields{$current_field} = $2;
             }
             else {
-- 
cgit v1.2.1