Changed the way password validation works. We now keep a

crypt'd version of the password in the database, and check against that. (This is silly, because we're also keeping the plaintext version there, but I have plans...) Stop passing the plaintext password around as a cookie; instead, we have a cookie that references a record in a new database table, logincookies. IMPORTANT: if updating from an older version of Bugzilla, you must run the following commands to keep things working: ./makelogincookiestable.sh echo "alter table profiles add column cryptpassword varchar(64);" | mysql bugs echo "update profiles set cryptpassword = encrypt(password,substring(rand(),3, 4));" | mysql bugs git-svn-id: svn://10.0.0.236/trunk@9121 18797224-902f-48f8-a5cc-f745e15eee43
1998-09-02 18:54:54 +00:00 · 1998-09-02 18:54:54 +00:00 · 978e4f71bb
commit 978e4f71bb
parent c36a681815
7 changed files with 105 additions and 32 deletions
--- a/mozilla/webtools/bugzilla/CGI.tcl
+++ b/mozilla/webtools/bugzilla/CGI.tcl
@ -171,7 +171,7 @@ proc make_options { src default {isregexp 0} } {


 proc PasswordForLogin {login} {
-    SendSQL "select password from profiles where login_name = '[SqlQuote $login]'"
+    SendSQL "select cryptpassword from profiles where login_name = '[SqlQuote $login]'"
    return [FetchSQLData]
 }
    
@ -179,7 +179,7 @@ proc PasswordForLogin {login} {

 proc confirm_login {{nexturl ""}} {
 #    puts "Content-type: text/plain\n"
-    global FORM COOKIE argv0
+    global FORM COOKIE argv0 env
    ConnectToDatabase
    if { [info exists FORM(Bugzilla_login)] && 
         [info exists FORM(Bugzilla_password)] } {
@ -194,10 +194,18 @@ proc confirm_login {{nexturl ""}} {
            puts "<p>Please click <b>back</b> and try again."
            exit
        }
-        set realpwd [PasswordForLogin $FORM(Bugzilla_login)]
+        set realcryptpwd [PasswordForLogin $FORM(Bugzilla_login)]
+        set enteredpwd $FORM(Bugzilla_password);
+        SendSQL "select encrypt('[SqlQuote $enteredpwd]','[crange $realcryptpwd 0 1]')";
+        set enteredcryptpwd [lindex [FetchSQLData] 0]
+        
+        
        if {[info exists FORM(PleaseMailAPassword)]} {
-            if {[cequal $realpwd ""]} {
+            if {[cequal $realcryptpwd ""]} {
                set realpwd [InsertNewUser $FORM(Bugzilla_login)]
+            } else {
+                SendSQL "select password from profiles where login_name = '[SqlQuote $FORM(Bugzilla_login)]'"
+                set realpwd [lindex [FetchSQLData] 0]
            }
            set template "From: bugzilla-daemon
 To: %s
@ -205,15 +213,16 @@ Subject: Your bugzilla password.

 To use the wonders of bugzilla, you can use the following:

-E-mail address: %s
-      Password: %s
+ E-mail address: %s
+       Password: %s

-To change your password, go to:
-[Param urlbase]changepassword.cgi
+ To change your password, go to:
+ [Param urlbase]changepassword.cgi

-(Your bugzilla and CVS password, if any, are not currently synchronized.
-Top hackers are working around the clock to fix this, as you read this.)
+ (Your bugzilla and CVS password, if any, are not currently synchronized.
+ Top hackers are working around the clock to fix this, as you read this.)
 "
+
            set msg [format $template $FORM(Bugzilla_login) \
                         $FORM(Bugzilla_login) $realpwd]
            
@ -227,7 +236,7 @@ Top hackers are working around the clock to fix this, as you read this.)
            exit
        }
                
-        if {[cequal $realpwd ""] || ![cequal $realpwd $FORM(Bugzilla_password)]} {
+        if {[cequal $realcryptpwd ""] || ![cequal $enteredcryptpwd $realcryptpwd]} {
            puts "Content-type: text/html\n"
            puts "<H1>Login failed.</H1>"
            puts "The username or password you entered is not valid.  Please"
@ -235,19 +244,33 @@ Top hackers are working around the clock to fix this, as you read this.)
            exit
        }
        set COOKIE(Bugzilla_login) $FORM(Bugzilla_login)
-        set COOKIE(Bugzilla_password) $FORM(Bugzilla_password)
+	SendSQL "insert into logincookies (userid,cryptpassword,hostname) values ([DBNameToIdAndCheck $FORM(Bugzilla_login)], '[SqlQuote $realcryptpwd]', '[SqlQuote $env(REMOTE_HOST)]')"
+        SendSQL "select LAST_INSERT_ID()"
+        set logincookie [FetchSQLData]
+        
+        
+
+
+        set COOKIE(Bugzilla_logincookie) $logincookie
        puts "Set-Cookie: Bugzilla_login=$COOKIE(Bugzilla_login) ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT"
-        puts "Set-Cookie: Bugzilla_password=$COOKIE(Bugzilla_password) ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT"
+        puts "Set-Cookie: Bugzilla_logincookie=$COOKIE(Bugzilla_logincookie) ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT"
+
+        # This next one just cleans out any old bugzilla passwords that may
+        # be sitting around in the cookie files, from the bad old days when
+        # we actually stored the password there.
+        puts "Set-Cookie: Bugzilla_password= ; path=/; expires=Sun, 30-Jun-80 00:00:00 GMT"
+
    }


-    set realpwd {}
+    set loginok 0

-    if { [info exists COOKIE(Bugzilla_login)] && [info exists COOKIE(Bugzilla_password)] } {
-        set realpwd [PasswordForLogin $COOKIE(Bugzilla_login)]
+    if { [info exists COOKIE(Bugzilla_login)] && [info exists COOKIE(Bugzilla_logincookie)] } {
+        SendSQL "select profiles.login_name = '[SqlQuote $COOKIE(Bugzilla_login)]' and profiles.cryptpassword = logincookies.cryptpassword and logincookies.hostname = '[SqlQuote $env(REMOTE_HOST)]' from profiles,logincookies where logincookies.cookie = $COOKIE(Bugzilla_logincookie) and profiles.userid = logincookies.userid"
+        set loginok [FetchSQLData]
    }

-    if {[cequal $realpwd ""] || ![cequal $realpwd $COOKIE(Bugzilla_password)]} {
+    if {$loginok != "1"} {
        puts "Content-type: text/html\n"
        puts "<H1>Please log in.</H1>"
        puts "I need a legitimate e-mail address and password to continue."
@ -284,9 +307,18 @@ e-mail address above and click
 here:<input type=submit value=\"E-mail me a password\"
 name=PleaseMailAPassword>
 </form>"
+
+        # This seems like as good as time as any to get rid of old
+        # crufty junk in the logincookies table.  Get rid of any entry
+        # that hasn't been used in a month.
+        SendSQL "delete from logincookies where to_days(now()) - to_days(lastused) > 30"
+
        
        exit
    }
+
+    # Update the timestamp on our logincookie, so it'll keep on working.
+    SendSQL "update logincookies set lastused = null where cookie = $COOKIE(Bugzilla_logincookie)"
 }


--- a/mozilla/webtools/bugzilla/changepassword.cgi
+++ b/mozilla/webtools/bugzilla/changepassword.cgi
@ -66,7 +66,11 @@ Please click <b>Back</b> and try again."

 puts "Content-type: text/html\n"

-SendSQL "update profiles set password='$pwd' where login_name='[SqlQuote $COOKIE(Bugzilla_login)]'"
+SendSQL "select encrypt('$pwd')"
+set encrypted [lindex [FetchSQLData] 0]
+
+SendSQL "update profiles set password='$pwd',cryptpassword='$encrypted' where login_name='[SqlQuote $COOKIE(Bugzilla_login)]'"
+SendSQL "update logincookies set cryptpassword = '$encrypted' where cookie = $COOKIE(Bugzilla_logincookie)"

 puts "<H1>OK, done.</H1>
 Your new password has been set.
--- a/mozilla/webtools/bugzilla/globals.tcl
+++ b/mozilla/webtools/bugzilla/globals.tcl
@ -49,14 +49,6 @@ proc ConnectToDatabase {} {
    }
 }

-# Useful for my stand-alone debugging
-proc DebugConnect {} {
-    global COOKIE
-    set COOKIE(Bugzilla_login) terry
-    set COOKIE(Bugzilla_password) terry
-    ConnectToDatabase
-}
-

 proc SendSQL { str } {
 # puts $str
@ -71,7 +63,12 @@ proc SendSQL { str } {
 proc MoreSQLData {} {
    global mysqlhandle
    set result [mysqlresult $mysqlhandle "rows?"]
-    return [expr ![cequal $result ""] && $result > 0]
+    if {![cequal $result ""]} {
+        if {$result > 0} {
+            return 1
+        }
+    }
+    return 0
 }

 proc FetchSQLData {} {
@ -286,7 +283,7 @@ proc InsertNewUser {username} {
    loop i 0 8 {
        append pwd [cindex "abcdefghijklmnopqrstuvwxyz" [random 26]]
    }
-    SendSQL "insert into profiles (login_name, password) values ('[SqlQuote $username]', '$pwd')"
+    SendSQL "insert into profiles (login_name, password, cryptpassword) values ('[SqlQuote $username]', '$pwd', encrypt('$pwd'))"
    return $pwd
 }

--- a/mozilla/webtools/bugzilla/makelogincookiestable.sh
+++ b/mozilla/webtools/bugzilla/makelogincookiestable.sh
@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# The contents of this file are subject to the Mozilla Public License
+# Version 1.0 (the "License"); you may not use this file except in
+# compliance with the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+# 
+# Software distributed under the License is distributed on an "AS IS"
+# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
+# License for the specific language governing rights and limitations
+# under the License.
+# 
+# The Original Code is the Bugzilla Bug Tracking System.
+# 
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are Copyright (C) 1998
+# Netscape Communications Corporation. All Rights Reserved.
+# 
+# Contributor(s): Terry Weissman <terry@mozilla.org>
+
+mysql bugs > /dev/null 2>/dev/null << OK_ALL_DONE
+
+drop table logincookies;
+OK_ALL_DONE
+
+mysql bugs << OK_ALL_DONE
+
+create table logincookies (
+    cookie mediumint not null auto_increment primary key,
+    userid mediumint not null,
+    cryptpassword varchar(64),
+    hostname varchar(128),
+    lastused timestamp,
+    index(lastused)
+);
+
+show columns from logincookies;
+show index from logincookies;
+
+OK_ALL_DONE
--- a/mozilla/webtools/bugzilla/makeprofilestable.sh
+++ b/mozilla/webtools/bugzilla/makeprofilestable.sh
@ -31,6 +31,7 @@ create table profiles (
 userid mediumint not null auto_increment primary key,
 login_name varchar(255) not null,
 password varchar(16),
+cryptpassword varchar(64),
 realname varchar(255),
 index(login_name)
 );
--- a/mozilla/webtools/bugzilla/query.cgi
+++ b/mozilla/webtools/bugzilla/query.cgi
@ -234,11 +234,9 @@ if {[info exists COOKIE(Bugzilla_login)]} {
    if {[cequal $COOKIE(Bugzilla_login) [Param maintainer]]} {
        puts "<a href=editparams.cgi>Edit Bugzilla operating parameters</a><br>"
    }
-    puts "
-<a href=relogin.cgi>Log in as someone besides <b>$COOKIE(Bugzilla_login)</b></a><br>
-<a href=changepassword.cgi>Change my password.</a><br>"
+    puts "<a href=relogin.cgi>Log in as someone besides <b>$COOKIE(Bugzilla_login)</b></a><br>"
 }
-
+puts "<a href=changepassword.cgi>Change your password.</a><br>"
 puts "<a href=\"enter_bug.cgi\">Create a new bug.</a><br>"

 }]} {
--- a/mozilla/webtools/bugzilla/relogin.cgi
+++ b/mozilla/webtools/bugzilla/relogin.cgi
@ -26,6 +26,7 @@ source CGI.tcl


 puts "Set-Cookie: Bugzilla_login= ; path=/; expires=Sun, 30-Jun-80 00:00:00 GMT
+Set-Cookie: Bugzilla_logincookie= ; path=/; expires=Sun, 30-Jun-80 00:00:00 GMT
 Set-Cookie: Bugzilla_password= ; path=/; expires=Sun, 30-Jun-80 00:00:00 GMT
 Content-type: text/html