Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 303787 Details for
Bug 443570
FEAT: Match the new db schema of bz3.0 [#11 TABLE logincookies]
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
For patching operation
logincookies.patch (text/plain), 25.71 KB, created by
XINSUN
on 2008-04-25 14:00:18 UTC
(
hide
)
Description:
For patching operation
Filename:
MIME Type:
Creator:
XINSUN
Created:
2008-04-25 14:00:18 UTC
Size:
25.71 KB
patch
obsolete
>Index: Bugzilla.pm >=================================================================== >RCS file: /cvs/qa/hwcert/Bugzilla.pm,v >retrieving revision 1.3 >diff -u -r1.3 Bugzilla.pm >--- Bugzilla.pm 6 Feb 2008 21:24:22 -0000 1.3 >+++ Bugzilla.pm 24 Apr 2008 15:31:37 -0000 >@@ -126,7 +126,7 @@ > > login_class->logout($_user, $option); > if ($option != LOGOUT_KEEP_CURRENT) { >- Bugzilla::Auth::Cookie->clear_browser_cookies(); >+ Bugzilla::Auth::CGI->clear_browser_cookies(); > logout_request(); > } > } >Index: Bugzilla/Auth.pm >=================================================================== >RCS file: /cvs/qa/hwcert/Bugzilla/Auth.pm,v >retrieving revision 1.1.1.1 >diff -u -r1.1.1.1 Auth.pm >--- Bugzilla/Auth.pm 16 Nov 2004 16:42:36 -0000 1.1.1.1 >+++ Bugzilla/Auth.pm 24 Apr 2008 15:31:37 -0000 >@@ -39,6 +39,16 @@ > > our @ISA; > push (@ISA, "Bugzilla::Auth::" . $loginmethod); >+ >+ # REDHAT EXTENSION 434897 >+ # HACK FOR PROXY PASS-THROUGH >+ # First check for SERVER_SOFTWARE because it's required to be >+ # defined for all requests in the CGI spec >+ # Then if client is one of the proxy servers then we try to use the >+ # HTTP_X_FORWARDED_FOR address as the client's real IP address >+ if ( exists $ENV{SERVER_SOFTWARE} and $ENV{REMOTE_ADDR} =~ /^10\.8\.2\.15\d$/ ) { >+ $ENV{REMOTE_ADDR} = $ENV{HTTP_X_FORWARDED_FOR} =~ /([^,\s]+)$/; >+ } > } > > # PRIVATE >@@ -61,6 +71,29 @@ > return join(".", unpack("CCCC", pack("N", $addr))); > } > >+sub remember_login { >+ my ( $remember ) = @_; >+ >+ my $cgi = Bugzilla->cgi; >+ >+ $remember = $remember ? $remember : $cgi->param('Bugzilla_remember'); >+ >+ # Remember cookie if admin has told so... >+ if ( Param('rememberlogin') eq 'on' ) { >+ return 1 >+ } >+ >+ # or admin didn't forbid it and user told to remember. >+ if ( Param('rememberlogin') ne 'off' >+ && $remember >+ && $remember eq 'on' ) { >+ return 1; >+ } >+ >+ # don't remember login >+ return 0; >+} >+ > 1; > > __END__ >Index: Bugzilla/CGI.pm >=================================================================== >RCS file: /cvs/qa/hwcert/Bugzilla/CGI.pm,v >retrieving revision 1.1.1.1 >diff -u -r1.1.1.1 CGI.pm >--- Bugzilla/CGI.pm 16 Nov 2004 16:42:36 -0000 1.1.1.1 >+++ Bugzilla/CGI.pm 24 Apr 2008 15:31:37 -0000 >@@ -189,6 +189,17 @@ > return; > } > >+# Cookies are removed by setting an expiry date in the past. >+# This method is a send_cookie wrapper doing exactly this. >+sub remove_cookie { >+ my $self = shift; >+ my ($cookiename) = (@_); >+ >+ # Expire the cookie, giving a non-empty dummy value (bug 268146). >+ $self->send_cookie('-name' => $cookiename, >+ '-expires' => 'Tue, 15-Sep-1998 21:49:00 GMT', >+ '-value' => 'X'); >+} > > 1; > >Index: Bugzilla/Auth/CGI.pm >=================================================================== >RCS file: /cvs/qa/hwcert/Bugzilla/Auth/CGI.pm,v >retrieving revision 1.6 >diff -u -r1.6 CGI.pm >--- Bugzilla/Auth/CGI.pm 26 Jul 2007 14:44:49 -0000 1.6 >+++ Bugzilla/Auth/CGI.pm 24 Apr 2008 15:31:37 -0000 >@@ -34,69 +34,110 @@ > use Bugzilla::Constants; > use Bugzilla::Error; > use Bugzilla::Util; >-use Bugzilla::Auth::Cookie; >+ >+my $COOKIE_EXPIRES = Param('cookie_expire_days') || 3; >+my $COOKIE_SECURE = Param('cookie_secure'); > > sub login { >- my ( $class, $type ) = @_; >+ my ($class, $type) = @_; > > # 'NORMAL' logins depend on the 'requirelogin' param >- if ( $type == LOGIN_NORMAL ) { >- $type = Param('requirelogin') ? LOGIN_REQUIRED: LOGIN_OPTIONAL; >+ if ($type == LOGIN_NORMAL) { >+ $type = Param('requirelogin') ? LOGIN_REQUIRED : LOGIN_OPTIONAL; > } > > my $cgi = Bugzilla->cgi; > > # First, try the actual login method against form variables > my $username = $cgi->param("Bugzilla_login"); >- my $passwd = $cgi->param("Bugzilla_password"); >+ my $passwd = $cgi->param("Bugzilla_password"); >+ >+ $cgi->delete('Bugzilla_login', 'Bugzilla_password'); > > my $authmethod = Param("loginmethod"); >- my ( $authres, $userid, $extra, $info ) >- = Bugzilla::Auth->authenticate( $username, $passwd ); >+ my ($authres, $userid, $extra, $info) >+ = Bugzilla::Auth->authenticate($username, $passwd); > >- my $login_info_ref = { userid => $userid }; >- if ( $authres == AUTH_NODATA ) { >- $login_info_ref = Bugzilla::Auth::Cookie->get_cookie_login_info($cgi); >+ if ($authres == AUTH_OK) { >+ # Login via username/password was correct and valid, so create >+ # and send out the login cookies >+ my $ipaddr = $cgi->remote_addr; >+ unless ($cgi->param('Bugzilla_restrictlogin') || >+ Param('loginnetmask') == 32) { >+ $ipaddr = Bugzilla::Auth::get_netaddr($ipaddr); >+ } > >- my $authmethod = "Cookie"; >+ # The IP address is valid, at least for comparing with itself in a >+ # subsequent login >+ trick_taint($ipaddr); >+ >+ my $logincookie = >+ Bugzilla::Token::GenerateUniqueToken('logincookies', 'cookie'); >+ >+ my $dbh = Bugzilla->dbh; >+ $dbh->do("INSERT INTO logincookies (cookie, userid, ipaddr, lastused) >+ VALUES (?, ?, ?, NOW())", >+ undef, $logincookie, $userid, $ipaddr); >+ >+ # Remember cookie only if admin has told so >+ # or admin didn't forbid it and user told to remember. >+ if ((Param('rememberlogin') eq 'on') || >+ ((Param('rememberlogin') ne 'off') && >+ ($cgi->param('Bugzilla_remember') eq 'on'))) { >+ my $expires = "+" . $COOKIE_EXPIRES . "d"; >+ $cgi->send_cookie(-name => 'Bugzilla_login', >+ -value => $userid, >+ -expires => $expires, >+ -secure => $COOKIE_SECURE); >+ $cgi->send_cookie(-name => 'Bugzilla_logincookie', >+ -value => $logincookie, >+ -expires => $expires, >+ -secure => $COOKIE_SECURE); > >- ( $authres, $userid, $extra ) = Bugzilla::Auth::Cookie->authenticate( >- $login_info_ref->{userid}, >- $login_info_ref->{token}, >- $login_info_ref->{session} >- ); >+ } >+ else { >+ $cgi->send_cookie(-name => 'Bugzilla_login', >+ -value => $userid, >+ -secure => $COOKIE_SECURE); >+ $cgi->send_cookie(-name => 'Bugzilla_logincookie', >+ -value => $logincookie, >+ -secure => $COOKIE_SECURE); > >- $authres = AUTH_NODATA if $authres == AUTH_LOGINFAILED; >+ } > } >+ elsif ($authres == AUTH_NODATA) { >+ # No data from the form, so try to login via cookies >+ $username = $cgi->cookie("Bugzilla_login"); >+ $passwd = $cgi->cookie("Bugzilla_logincookie"); >+ >+ require Bugzilla::Auth::Cookie; >+ my $authmethod = "Cookie"; >+ >+ ($authres, $userid, $extra) = >+ Bugzilla::Auth::Cookie->authenticate($username, $passwd); > >- # Reset the cookies if we are successfully logged in >- if ( $authres == AUTH_OK ) { >- Bugzilla::Auth::Cookie->set_cookie_login_info( >- $login_info_ref->{userid}, >- $login_info_ref->{token}, >- $login_info_ref->{session} >- ); >+ # If the data for the cookie was incorrect, then treat that as >+ # NODATA. This could occur if the user's IP changed, for example. >+ # Give them un-loggedin access if allowed (checked below) >+ $authres = AUTH_NODATA if $authres == AUTH_LOGINFAILED; > } > > # Now check the result > > # An error may have occurred with the login mechanism >- if ( $authres == AUTH_ERROR ) { >- ThrowCodeError( >- "auth_err", >- { authmethod => lc($authmethod), >- userid => $userid, >- auth_err_tag => $extra, >- info => $info >- } >- ); >+ if ($authres == AUTH_ERROR) { >+ ThrowCodeError("auth_err", >+ { authmethod => lc($authmethod), >+ userid => $userid, >+ auth_err_tag => $extra, >+ info => $info >+ }); > } > > # We can load the page if the login was ok, or there was no data > # but a login wasn't required >- if ( $authres == AUTH_OK >- || ( $authres == AUTH_NODATA && $type == LOGIN_OPTIONAL ) ) >- { >+ if ($authres == AUTH_OK || >+ ($authres == AUTH_NODATA && $type == LOGIN_OPTIONAL)) { > > # login succeded, so we're done > return $userid; >@@ -104,21 +145,26 @@ > > # No login details were given, but we require a login if the > # page does >- if ( $authres == AUTH_NODATA && $type == LOGIN_REQUIRED ) { >- >+ if ($authres == AUTH_NODATA && $type == LOGIN_REQUIRED) { > # Throw up the login page > > print Bugzilla->cgi->header(); > > my $template = Bugzilla->template; >- $template->process( >- "account/auth/login.html.tmpl", >- { 'target' => $cgi->url( -relative => 1 ), >- 'form' => \%::FORM, >- 'mform' => \%::MFORM, >- 'caneditaccount' => Bugzilla::Auth->can_edit, >- } >- ) || ThrowTemplateError( $template->error() ); >+ $template->process("account/auth/login.html.tmpl", >+ { 'target' => $cgi->url(-relative=>1), >+ 'form' => \%::FORM, >+ 'mform' => \%::MFORM, >+ 'caneditaccount' => Bugzilla::Auth->can_edit, >+ } >+ ) >+ || ThrowTemplateError($template->error()); >+ >+ # This seems like as good as time as any to get rid of old >+ # crufty junk in the logincookies table. Get rid of any entry >+ # that hasn't been used in a month. >+ Bugzilla->dbh->do("DELETE FROM logincookies " . >+ "WHERE TO_DAYS(NOW()) - TO_DAYS(lastused) > 30"); > > exit; > } >@@ -127,41 +173,62 @@ > # Don't let the user know whether the username exists or whether > # the password was just wrong. (This makes it harder for a cracker > # to find account names by brute force) >- if ( $authres == AUTH_LOGINFAILED ) { >- ThrowUserError( >- "invalid_username_or_password", >- { 'username' => $username, >- 'caneditaccount' => Bugzilla::Auth->can_edit >- } >- ); >+ if ($authres == AUTH_LOGINFAILED) { >+ ThrowUserError("invalid_username_or_password"); > } > > # The account may be disabled >- if ( $authres == AUTH_DISABLED ) { >- Bugzilla::Auth::Cookie->clear_browser_cookies(); >- >+ if ($authres == AUTH_DISABLED) { >+ clear_browser_cookies(); > # and throw a user error >- ThrowUserError( "account_disabled", { 'disabled_reason' => $extra } ); >- } >- >- if ( $authres == AUTH_BADSESSION ) { >- ThrowUserError("stolen_session_cookie"); >+ ThrowUserError("account_disabled", >+ {'disabled_reason' => $extra}); > } > > # If we get here, then we've run out of options, which shouldn't happen >- ThrowCodeError( >- "authres_unhandled", >- { authres => $authres, >- type => $type, >- } >- ); >+ ThrowCodeError("authres_unhandled", { authres => $authres, >+ type => $type, }); > } > > # Logs user out, according to the option provided; this consists of > # removing entries from logincookies for the specified $user. > sub logout { >- my ( $class, $user, $option ) = @_; >- Bugzilla::Auth::Cookie->logout( $user, $option ); >+ my ($class, $user, $option) = @_; >+ my $dbh = Bugzilla->dbh; >+ $option = LOGOUT_ALL unless defined $option; >+ >+ if ($option == LOGOUT_ALL) { >+ $dbh->do("DELETE FROM logincookies WHERE userid = ?", >+ undef, $user->id); >+ return; >+ } >+ >+ # The LOGOUT_*_CURRENT options require a cookie >+ my $cookie = Bugzilla->cgi->cookie("Bugzilla_logincookie"); >+ trick_taint($cookie); >+ >+ # These queries use both the cookie ID and the user ID as keys. Even >+ # though we know the userid must match, we still check it in the SQL >+ # as a sanity check, since there is no locking here, and if the user >+ # logged out from two machines simultaneously, while someone else >+ # logged in and got the same cookie, we could be logging the other >+ # user out here. Yes, this is very very very unlikely, but why take >+ # chances? - bbaetz >+ if ($option == LOGOUT_KEEP_CURRENT) { >+ $dbh->do("DELETE FROM logincookies WHERE cookie != ? AND userid = ?", >+ undef, $cookie, $user->id); >+ } elsif ($option == LOGOUT_CURRENT) { >+ $dbh->do("DELETE FROM logincookies WHERE cookie = ? AND userid = ?", >+ undef, $cookie, $user->id); >+ } else { >+ die("Invalid option $option supplied to logout()"); >+ } >+} >+ >+sub clear_browser_cookies { >+ my $cgi = Bugzilla->cgi; >+ $cgi->remove_cookie('Bugzilla_login'); >+ $cgi->remove_cookie('Bugzilla_logincookie'); > } > > 1; >Index: Bugzilla/Auth/Cookie.pm >=================================================================== >RCS file: /cvs/qa/hwcert/Bugzilla/Auth/Cookie.pm,v >retrieving revision 1.4 >diff -u -r1.4 Cookie.pm >--- Bugzilla/Auth/Cookie.pm 26 Jul 2007 14:44:57 -0000 1.4 >+++ Bugzilla/Auth/Cookie.pm 24 Apr 2008 15:31:37 -0000 >@@ -34,359 +34,59 @@ > use Bugzilla::Config; > use Bugzilla::Constants; > use Bugzilla::Util; >-use Bugzilla::Error; >-use Digest::SHA1; > >-my $COOKIE_EXPIRES = Param('cookie_expire_days') || 3; >-my $COOKIE_SECURE = Param('cookie_secure'); >-my $COOKIE_SESSION_NAME = 'Bugzilla_session'; >-my $COOKIE_TOKEN_NAME = 'Bugzilla_login'; >-my $COOKIE_TOKEN; # remembers the token created by set_cookie_login_info() >-my $EMPTY_STRING = q{}; >-my $EXPIRES_YESTERDAY = q{-1d}; >-my $MAC_SECRET = Param('mac_secret'); >+my $logger = Bugzilla->logger; > > sub authenticate { >- my ( $class, $userid, $token, $session ) = @_; >+ my ($class, $login, $login_cookie) = @_; > >- my $cgi = Bugzilla->cgi; >- >- # check params >- if ( not( $userid and $token ) ) { >- return (AUTH_NODATA); >- } >- >- # Anything goes for these params - they're just strings which >- # we're going to verify against the db >- detaint_natural($userid); >- trick_taint($token); >- trick_taint($session) if $session; >- >- my $query = " >- SELECT profiles.userid, >- profiles.disabledtext, >- logincookies.cookie, >- logincookies.session >- FROM logincookies, >- profiles >- WHERE logincookies.userid=profiles.userid >- AND logincookies.userid=? >- AND logincookies.cookie=? >- "; >- >- my $dbh = Bugzilla->dbh; >- my ( $db_userid, $db_disabledtext, $db_token, $db_session ) >- = $dbh->selectrow_array( $query, undef, $userid, $token ); >- >- # This could happen because their login info has been deleted from >- # the logincookies table since they last logged in >- if ( not( $db_userid and $db_token ) ) { >- return (AUTH_LOGINFAILED); >- } >- >- # A row was returned that matched on the cookie and userid. >- # Check if we recieved a session ID then make sure it matches >- if ( $session and ( $session ne $db_session ) ) { >- >- # we assume that Bugzilla::User->new will always succeed >- my $user = Bugzilla::User->new($userid); >- $class->logout( $user, LOGOUT_ALL ); >- MailError("Broken Cookie Series Alert: " >- . "SESSION[ $session ] != DB_SESSION[ $db_session ] " >- . " for TOKEN[ $token ] USERID[ $userid ]" ); >- >- return (AUTH_BADSESSION); >- } >- >- if ($db_disabledtext) { >- return ( AUTH_DISABLED, $db_userid, $db_disabledtext ); >- } >- >- return ( AUTH_OK, $db_userid ); >-} >- >-# Returns all attributes from token cookie if key is valid >-sub get_cookie_login_info { >- my $class = shift; >- my $cgi = shift || Bugzilla->cgi; >- >- ######################################## >- ## token >- >- my @info = $cgi->cookie($COOKIE_TOKEN_NAME); >- if ( not( @info == 6 ) ) { >- >- # expect 3 key/val pairs (userid/token/MAC) >- return; >- } >- my %info = @info; >- >- # find attribute >- for my $attr qw(userid token MAC) { >- if ( not $info{$attr} ) { >- return; >- } >- } >- >- # This method of using a MAC to make sure a cookie is valid >- # is discussed in the Eagle Book. >- my $MAC = Digest::SHA1::sha1_hex( >- $info{userid} . $info{token} . $MAC_SECRET ); >- >- # If the cookie's MAC matches the one we generate, we know >- # that the cookie has not been tampered with. >- if ( $info{MAC} ne $MAC ) { >- MailError("Cookie Tamper Alert: USERID: $info{userid} " >- . "TOKEN: $info{token} SESSION: $info{session} MAC: $info{MAC}" >- ); >- return; >- } >- >- ######################################## >- ## session >- >- my @session_info = $cgi->cookie($COOKIE_SESSION_NAME); >- if ( @session_info == 4 ) { >- >- # expect 2 key/val pairs (session/MAC) >- my %sinfo = @session_info; >- >- my $sMAC = Digest::SHA1::sha1_hex( $sinfo{session}, $MAC_SECRET ); >- if ( $sinfo{MAC} ne $sMAC ) { >- MailError("Series Cookie Tamper Alert: " >- . "USERID: $info{userid} TOKEN: $info{TOKEN} " >- . "SESSION: $sinfo{session} sMAC: $sinfo{MAC} " >- . "EXPECTED_sMAC $sMAC" ); >- return; >- } >- $info{session} = $sinfo{session}; >- } >- >- ######################################## >- ## untaint data and return as hash ref >- >- delete $info{MAC}; # discard >- trick_taint( $info{userid} ); >- trick_taint( $info{token} ); >- trick_taint( $info{session} ) if $info{session}; >- >- return \%info; >-} >- >-# assumes already authenticated >-sub set_cookie_login_info { >- my ( $class, $userid, $token, $session ) = @_; >- >- # save logincookies to persistent storage >- >- my $ref; >- if ( $token and $session ) { >- $ref = _update_lastused( $userid, $token, $session ); >- } >- elsif ($token) { >- $ref = _update_lastused_new_session( $userid, $token ); >- } >- else { >- $ref = _insert_new_session($userid); >- } >- >- # build cookies >+ return (AUTH_NODATA) unless defined $login && defined $login_cookie; > >- my %session_cookie = ( >- -name => $COOKIE_SESSION_NAME, >- -value => { >- session => $ref->{session}, >- MAC => Digest::SHA1::sha1_hex( $ref->{session}, $MAC_SECRET ), >- }, >- -secure => $COOKIE_SECURE, >- ); >- my %token_cookie = ( >- -name => $COOKIE_TOKEN_NAME, >- -value => { >- userid => $userid, >- token => $ref->{token}, >- MAC => Digest::SHA1::sha1_hex( >- $userid . $ref->{token} . $MAC_SECRET >- ) >- }, >- -secure => $COOKIE_SECURE, >- ); >+ $logger->debug("Authenticating cookie for user $login"); > >- # Remember cookie only if admin has told so >- # or admin didn't forbid it and user told to remember. > my $cgi = Bugzilla->cgi; >- my $is_remember_cookie = ( Param('rememberlogin') eq 'on' ) >- || ( ( Param('rememberlogin') ne 'off' ) >- && ( $cgi->param('Bugzilla_remember') eq 'on' ) ); >- >- if ($is_remember_cookie) { >- $token_cookie{-expires} = "+" . $COOKIE_EXPIRES . "d"; >- } >- >- $cgi->send_cookie(%session_cookie); >- $cgi->send_cookie(%token_cookie); >- >- # if we are about to logout then we need to delete this token >- $COOKIE_TOKEN = $ref->{token}; >-} >- >-# record in db the last time this user connected >-sub _update_lastused { >- my ( $userid, $token, $session ) = @_; >- >- # same session, same token >- my $query = "UPDATE logincookies >- SET lastused = NOW() >- WHERE cookie = ? >- AND userid = ? >- AND session = ?"; >- my @bindv = ( $token, $userid, $session ); >- >- my $dbh = Bugzilla->dbh; >- my $rows_updated = $dbh->do( $query, undef, @bindv ); > >- if ( $rows_updated != 1 ) { >- MailError("Cookie Update Last Accessed Alert: " >- . "USERID: $userid " >- . "TOKEN: $token " >- . "SESSION: $session" ); >+ my $ipaddr = $cgi->remote_addr(); >+ my $netaddr = Bugzilla::Auth::get_netaddr($ipaddr); > >+ # Anything goes for these params - they're just strings which >+ # we're going to verify against the db >+ trick_taint($login); >+ trick_taint($login_cookie); >+ trick_taint($ipaddr); >+ >+ my $query = "SELECT profiles.userid, profiles.disabledtext " . >+ "FROM logincookies, profiles " . >+ "WHERE logincookies.cookie=? AND " . >+ " logincookies.userid=profiles.userid AND " . >+ " logincookies.userid=? AND " . >+ " (logincookies.ipaddr=?"; >+ my @params = ($login_cookie, $login, $ipaddr); >+ if (defined $netaddr) { >+ trick_taint($netaddr); >+ $query .= " OR logincookies.ipaddr=?"; >+ push(@params, $netaddr); > } >- >- return { token => $token, session => $session }; >-} >- >-# user has come back with a good token but no session >-# allow them in, update lastused and create them a new session >-sub _update_lastused_new_session { >- my ( $userid, $token ) = @_; >- >- # new session, same token >- my $session = generate_unique_id(); >- >- my $query = "UPDATE logincookies >- SET lastused = NOW(), >- session = ? >- WHERE cookie = ? >- AND userid = ?"; >- my @bindv = ( $session, $token, $userid ); >+ $query .= ")"; > > my $dbh = Bugzilla->dbh; >- my $rows_updated = $dbh->do( $query, undef, @bindv ); >- >- if ( $rows_updated != 1 ) { >- MailError("Cookie Update New Session Alert: " >- . "USERID: $userid " >- . "TOKEN: $token " >- . "SESSION: $session" ); >- >- } >- >- return { token => $token, session => $session }; >-} >- >-# totally new login. create new session and new login token >-sub _insert_new_session { >- my $userid = shift; >- >- my $session = generate_unique_id(); >- my $token = generate_unique_id(); >- >- my $dbh = Bugzilla->dbh; >- my $rows_ins = $dbh->do( >- "INSERT INTO logincookies >- (cookie, session, userid, lastused) >- VALUES ( ?, ?, ?, NOW())", >- undef, $token, $session, $userid >- ); >- >- if ( $rows_ins != 1 ) { >- MailError("Cookie Insert Alert: " >- . "USERID: $userid " >- . "TOKEN: $token " >- . "SESSION: $session" ); >- } >- >- return { token => $token, session => $session }; >-} >+ my ($userid, $disabledtext) = $dbh->selectrow_array($query, undef, @params); > >-# generate unique id >-sub generate_unique_id { >- Digest::SHA1::sha1_hex( >- Digest::SHA1::sha1_hex( time() . {} . rand() . $$ ) ); >-} >+ return (AUTH_DISABLED, $userid, $disabledtext) >+ if ($disabledtext); > >-sub clear_browser_cookies { >- my $class = shift; >- my $cgi = Bugzilla->cgi; >- $cgi->send_cookie( >- -name => $COOKIE_SESSION_NAME, >- -value => $EMPTY_STRING, >- -expires => $EXPIRES_YESTERDAY, >- -secure => $COOKIE_SECURE, >- ); >- $cgi->send_cookie( >- -name => $COOKIE_TOKEN_NAME, >- -value => $EMPTY_STRING, >- -expires => $EXPIRES_YESTERDAY, >- -secure => $COOKIE_SECURE, >- ); >-} >+ if ($userid) { >+ # If we logged in successfully, then update the lastused time on the >+ # login cookie >+ $dbh->do("UPDATE logincookies SET lastused = now() WHERE cookie = ?", >+ undef, >+ $login_cookie); > >-sub get_old_token { >- my $class = shift; >- return $COOKIE_TOKEN; >-} >- >-sub get_cookie_expire_days { >- my $class = shift; >- return $COOKIE_EXPIRES; >-} >- >-# clear expired tokens from the logincookies table. >-sub clean_expired_tokens { >- my $class = shift; >- >- Bugzilla->dbh->do( "DELETE FROM logincookies WHERE " >- . Bugzilla::DB::ToDays('NOW()') . " - " >- . Bugzilla::DB::ToDays('lastused') . " > " >- . get_cookie_expire_days() ); >-} >- >-# Logs user out, according to the option provided; this consists of >-# removing entries from logincookies for the specified $user. >-sub logout { >- my ( $class, $user, $option ) = @_; >- my $dbh = Bugzilla->dbh; >- $option = LOGOUT_ALL unless defined $option; >- >- if ( $option == LOGOUT_ALL ) { >- $dbh->do( "DELETE FROM logincookies WHERE userid = ?", >- undef, $user->id ); >- return; >+ return (AUTH_OK, $userid); > } > >- # The LOGOUT_*_CURRENT options require a cookie >- my $cookie = get_old_token(); >- >- # These queries use both the cookie ID and the user ID as keys. Even >- # though we know the userid must match, we still check it in the SQL >- # as a sanity check, since there is no locking here, and if the user >- # logged out from two machines simultaneously, while someone else >- # logged in and got the same cookie, we could be logging the other >- # user out here. Yes, this is very very very unlikely, but why take >- # chances? - bbaetz >- if ( $option == LOGOUT_KEEP_CURRENT ) { >- $dbh->do( "DELETE FROM logincookies WHERE cookie != ? AND userid = ?", >- undef, $cookie, $user->id ); >- } >- elsif ( $option == LOGOUT_CURRENT ) { >- $dbh->do( "DELETE FROM logincookies WHERE cookie = ? AND userid = ?", >- undef, $cookie, $user->id ); >- } >- else { >- die("Invalid option $option supplied to logout()"); >- } >+ # If we get here, then the login failed. >+ return (AUTH_LOGINFAILED); > } > > 1; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=303787">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 443570
:
303544
|
303648
|
303787
|
310913