From ced7a0a876216905baa7c2aba83be4e651865e82 Mon Sep 17 00:00:00 2001 From: "bzrmirror%bugzilla.org" Date: Wed, 16 Oct 2013 17:01:24 +0000 Subject: [PATCH] Bug 907438 - In MySQL, login cookie checking is not case-sensitive, reducing total entropy and allowing easier brute force r=LpSolit,a=sgreen git-svn-id: svn://10.0.0.236/branches/BUGZILLA-4_0-BRANCH@265057 18797224-902f-48f8-a5cc-f745e15eee43 --- mozilla/webtools/bugzilla/.bzrrev | 2 +- mozilla/webtools/bugzilla/Bugzilla/Auth/Login/Cookie.pm | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/mozilla/webtools/bugzilla/.bzrrev b/mozilla/webtools/bugzilla/.bzrrev index fe324c23931..25f1752324b 100644 --- a/mozilla/webtools/bugzilla/.bzrrev +++ b/mozilla/webtools/bugzilla/.bzrrev @@ -1 +1 @@ -7757 \ No newline at end of file +7758 \ No newline at end of file diff --git a/mozilla/webtools/bugzilla/Bugzilla/Auth/Login/Cookie.pm b/mozilla/webtools/bugzilla/Bugzilla/Auth/Login/Cookie.pm index 91fb820fb58..de9188c64a7 100644 --- a/mozilla/webtools/bugzilla/Bugzilla/Auth/Login/Cookie.pm +++ b/mozilla/webtools/bugzilla/Bugzilla/Auth/Login/Cookie.pm @@ -60,8 +60,8 @@ sub get_login_info { trick_taint($login_cookie); detaint_natural($user_id); - my $is_valid = - $dbh->selectrow_array('SELECT 1 + my $db_cookie = + $dbh->selectrow_array('SELECT cookie FROM logincookies WHERE cookie = ? AND userid = ? @@ -69,7 +69,7 @@ sub get_login_info { undef, ($login_cookie, $user_id, $ip_addr)); # If the cookie is valid, return a valid username. - if ($is_valid) { + if (defined $db_cookie && $login_cookie eq $db_cookie) { # If we logged in successfully, then update the lastused # time on the login cookie $dbh->do("UPDATE logincookies SET lastused = NOW()