Bug 907438 - In MySQL, login cookie checking is not case-sensitive, reducing total entropy and allowing easier brute force

r=LpSolit,a=sgreen git-svn-id: svn://10.0.0.236/branches/BUGZILLA-4_0-BRANCH@265057 18797224-902f-48f8-a5cc-f745e15eee43
2013-10-16 17:01:24 +00:00
parent 8dc631e917
commit ced7a0a876
2 changed files with 4 additions and 4 deletions
--- a/mozilla/webtools/bugzilla/.bzrrev
+++ b/mozilla/webtools/bugzilla/.bzrrev
@@ -1 +1 @@
-7757
+7758
--- a/mozilla/webtools/bugzilla/Bugzilla/Auth/Login/Cookie.pm
+++ b/mozilla/webtools/bugzilla/Bugzilla/Auth/Login/Cookie.pm
@@ -60,8 +60,8 @@ sub get_login_info {
        trick_taint($login_cookie);
        detaint_natural($user_id);

-        my $is_valid =
-          $dbh->selectrow_array('SELECT 1
+        my $db_cookie =
+          $dbh->selectrow_array('SELECT cookie
                                   FROM logincookies
                                  WHERE cookie = ?
                                        AND userid = ?
@@ -69,7 +69,7 @@ sub get_login_info {
                                 undef, ($login_cookie, $user_id, $ip_addr));

        # If the cookie is valid, return a valid username.
-        if ($is_valid) {
+        if (defined $db_cookie && $login_cookie eq $db_cookie) {
            # If we logged in successfully, then update the lastused 
            # time on the login cookie
            $dbh->do("UPDATE logincookies SET lastused = NOW()