Bommels05/Mozilla
Bommels05/Mozilla
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 300336: Bugzilla::Auth should not contain any exported subroutines

Browse Source 
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=justdave


git-svn-id: svn://10.0.0.236/trunk@175984 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
mkanat%kerio.com 2005-07-13 03:57:02 +00:00
parent 361f423438
commit 7e57a969dd
9 changed files with 62 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
mozilla/webtools/bugzilla/Bugzilla/Auth.pm
View File

@ -23,8 +23,6 @@
package Bugzilla::Auth;
use strict;
use base qw(Exporter);
@Bugzilla::Auth::EXPORT = qw(bz_crypt);
use Bugzilla::Config;
use Bugzilla::Constants;
@ -44,31 +42,6 @@ BEGIN {
}
}
sub bz_crypt ($) {
my ($password) = @_;
# The list of characters that can appear in a salt. Salts and hashes
# are both encoded as a sequence of characters from a set containing
# 64 characters, each one of which represents 6 bits of the salt/hash.
# The encoding is similar to BASE64, the difference being that the
# BASE64 plus sign (+) is replaced with a forward slash (/).
my @saltchars = (0..9, 'A'..'Z', 'a'..'z', '.', '/');
# Generate the salt. We use an 8 character (48 bit) salt for maximum
# security on systems whose crypt uses MD5. Systems with older
# versions of crypt will just use the first two characters of the salt.
my $salt = '';
for ( my $i=0 ; $i < 8 ; ++$i ) {
$salt .= $saltchars[rand(64)];
}
# Crypt the password.
my $cryptedpassword = crypt($password, $salt);
# Return the crypted password.
return $cryptedpassword;
}
# PRIVATE
# A number of features, like password change requests, require the DB
@ -160,11 +133,6 @@ __END__
Bugzilla::Auth - Authentication handling for Bugzilla users
=head1 SYNOPSIS
# Class Functions
$crypted = bz_crypt($password);
=head1 DESCRIPTION
Handles authentication for Bugzilla users.
@ -184,23 +152,6 @@ authentication or login modules.
=over 4
=item C<bz_crypt($password)>
Takes a string and returns a C<crypt>ed value for it, using a random salt.
Please always use this function instead of the built-in perl "crypt"
when initially encrypting a password.
=begin undocumented
Random salts are generated because the alternative is usually
to use the first two characters of the password itself, and since
the salt appears in plaintext at the beginning of the encrypted
password string this has the effect of revealing the first two
characters of the password to anyone who views the encrypted version.
=end undocumented
=item C<Bugzilla::Auth::get_netaddr($ipaddr)>
Given an ip address, this returns the associated network address, using

5
mozilla/webtools/bugzilla/Bugzilla/Auth/Verify/DB.pm
View File

@ -34,10 +34,7 @@ use strict;
use Bugzilla::Config;
use Bugzilla::Constants;
use Bugzilla::Util;
# Because of the screwy way that Auth works, it thinks
# that we're redefining subroutines if we "use" anything
# that "uses" Bugzilla::Auth.
require Bugzilla::User;
use Bugzilla::User;
my $edit_options = {
'new' => 1,

1
mozilla/webtools/bugzilla/Bugzilla/User.pm
View File

@ -41,7 +41,6 @@ use Bugzilla::Error;
use Bugzilla::Util;
use Bugzilla::Constants;
use Bugzilla::User::Setting;
use Bugzilla::Auth;
use base qw(Exporter);
@Bugzilla::User::EXPORT = qw(insert_new_user is_available_username

53
mozilla/webtools/bugzilla/Bugzilla/Util.pm
View File

@ -37,7 +37,8 @@ use base qw(Exporter);
diff_arrays diff_strings
trim wrap_comment find_wrap_point
format_time format_time_decimal
file_mod_time);
file_mod_time
bz_crypt);
use Bugzilla::Config;
use Bugzilla::Error;
@ -309,6 +310,31 @@ sub file_mod_time ($) {
return $mtime;
}
sub bz_crypt ($) {
my ($password) = @_;
# The list of characters that can appear in a salt. Salts and hashes
# are both encoded as a sequence of characters from a set containing
# 64 characters, each one of which represents 6 bits of the salt/hash.
# The encoding is similar to BASE64, the difference being that the
# BASE64 plus sign (+) is replaced with a forward slash (/).
my @saltchars = (0..9, 'A'..'Z', 'a'..'z', '.', '/');
# Generate the salt. We use an 8 character (48 bit) salt for maximum
# security on systems whose crypt uses MD5. Systems with older
# versions of crypt will just use the first two characters of the salt.
my $salt = '';
for ( my $i=0 ; $i < 8 ; ++$i ) {
$salt .= $saltchars[rand(64)];
}
# Crypt the password.
my $cryptedpassword = crypt($password, $salt);
# Return the crypted password.
return $cryptedpassword;
}
sub ValidateDate {
my ($date, $format) = @_;
my $date2;
@ -369,6 +395,9 @@ Bugzilla::Util - Generic utility functions for bugzilla
# Functions for dealing with files
$time = file_mod_time($filename);
# Cryptographic Functions
$crypted_password = bz_crypt($password);
=head1 DESCRIPTION
This package contains various utility functions which do not belong anywhere
@ -563,3 +592,25 @@ of the "mtime" parameter of the perl "stat" function.
=back
=head2 Cryptography
=over 4
=item C<bz_crypt($password)>
Takes a string and returns a C<crypt>ed value for it, using a random salt.
Please always use this function instead of the built-in perl "crypt"
when initially encrypting a password.
=begin undocumented
Random salts are generated because the alternative is usually
to use the first two characters of the password itself, and since
the salt appears in plaintext at the beginning of the encrypted
password string this has the effect of revealing the first two
characters of the password to anyone who views the encrypted version.
=end undocumented
=back

17
mozilla/webtools/bugzilla/checksetup.pl
View File

@ -1414,22 +1414,19 @@ if ($^O !~ /MSWin32/i) {
# This is done here, because some modules require params to be set up, which
# won't have happened earlier.
# The only use for loading globals.pl is for Crypt(), which should at some
# point probably be factored out into Bugzilla::Auth::*
# It's never safe to directly "use" a module in checksetup. If a module
# prerequisite is missing, and you "use" a module that requires it,
# then instead of our nice normal checksetup message the user would
# get a cryptic perl error about the missing module.
# XXX - bug 278792: Crypt has been moved to Bugzilla::Auth::bz_crypt.
# This section is probably no longer needed, but we need to make sure
# that things still work if we remove globals.pl. So that's for later.
# It's safe to use Bugzilla::Auth here because parameters have now been
# defined.
require Bugzilla::Auth;
import Bugzilla::Auth 'bz_crypt';
# So, we always wrap our "use" statements in checksetup in a string eval.
# This is done so we can add new settings as developers need them.
require Bugzilla::User::Setting;
import Bugzilla::User::Setting qw(add_setting);
eval("use Bugzilla:Util");
# globals.pl clears the PATH, but File::Find uses Cwd::cwd() instead of
# Cwd::getcwd(), which we need to do because `pwd` isn't in the path - see
# http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2001-09/msg00115.html

1
mozilla/webtools/bugzilla/editusers.cgi
View File

@ -27,7 +27,6 @@ use Bugzilla;
use Bugzilla::User;
use Bugzilla::Config;
use Bugzilla::Constants;
use Bugzilla::Auth;
use Bugzilla::Util;
Bugzilla->login(LOGIN_REQUIRED);

1
mozilla/webtools/bugzilla/globals.pl
View File

@ -36,7 +36,6 @@ use Bugzilla::Util;
# Bring ChmodDataFile in until this is all moved to the module
use Bugzilla::Config qw(:DEFAULT ChmodDataFile $localconfig $datadir);
use Bugzilla::BugMail;
use Bugzilla::Auth;
use Bugzilla::User;
# Shut up misguided -w warnings about "used only once". For some reason,

2
mozilla/webtools/bugzilla/token.cgi
View File

@ -33,7 +33,7 @@ use vars qw($template $vars);
use Bugzilla;
use Bugzilla::Constants;
use Bugzilla::Auth;
use Bugzilla::Util;
my $cgi = Bugzilla->cgi;
my $dbh = Bugzilla->dbh;

2
mozilla/webtools/bugzilla/userprefs.cgi
View File

@ -29,7 +29,7 @@ use lib qw(.);
use Bugzilla;
use Bugzilla::Constants;
use Bugzilla::Search;
use Bugzilla::Auth;
use Bugzilla::Util;
use Bugzilla::User;
require "CGI.pl";