package Bugzilla::Auth;
use strict;
+use Exporter qw(import);
+@Bugzilla::Auth::EXPORT = qw(bz_crypt);
use Bugzilla::Config;
use Bugzilla::Constants;
}
}
+sub bz_crypt ($) {
+ my ($password) = @_;
+
+ # The list of characters that can appear in a salt. Salts and hashes
+ # are both encoded as a sequence of characters from a set containing
+ # 64 characters, each one of which represents 6 bits of the salt/hash.
+ # The encoding is similar to BASE64, the difference being that the
+ # BASE64 plus sign (+) is replaced with a forward slash (/).
+ my @saltchars = (0..9, 'A'..'Z', 'a'..'z', '.', '/');
+
+ # Generate the salt. We use an 8 character (48 bit) salt for maximum
+ # security on systems whose crypt uses MD5. Systems with older
+ # versions of crypt will just use the first two characters of the salt.
+ my $salt = '';
+ for ( my $i=0 ; $i < 8 ; ++$i ) {
+ $salt .= $saltchars[rand(64)];
+ }
+
+ # Crypt the password.
+ my $cryptedpassword = crypt($password, $salt);
+
+ # Return the crypted password.
+ return $cryptedpassword;
+}
+
# PRIVATE
# A number of features, like password change requests, require the DB
Bugzilla::Auth - Authentication handling for Bugzilla users
+=head1 SYNOPSIS
+
+ # Class Functions
+ $crypted = bz_crypt($password);
+
=head1 DESCRIPTION
Handles authentication for Bugzilla users.
=over 4
+=item C<bz_crypt($password)>
+
+Takes a string and returns a C<crypt>ed value for it, using a random salt.
+
+Please always use this function instead of the built-in perl "crypt"
+when initially encrypting a password.
+
+=begin undocumented
+
+Random salts are generated because the alternative is usually
+to use the first two characters of the password itself, and since
+the salt appears in plaintext at the beginning of the encrypted
+password string this has the effect of revealing the first two
+characters of the password to anyone who views the encrypted version.
+
+=end undocumented
+
=item C<Bugzilla::Auth::get_netaddr($ipaddr)>
Given an ip address, this returns the associated network address, using
sub change_password {
my ($class, $userid, $password) = @_;
my $dbh = Bugzilla->dbh;
- my $cryptpassword = Crypt($password);
+ my $cryptpassword = bz_crypt($password);
$dbh->do("UPDATE profiles SET cryptpassword = ? WHERE userid = ?",
undef, $cryptpassword, $userid);
}
# The only use for loading globals.pl is for Crypt(), which should at some
# point probably be factored out into Bugzilla::Auth::*
+# XXX - bug 278792: Crypt has been moved to Bugzilla::Auth::bz_crypt.
+# This section is probably no longer needed, but we need to make sure
+# that things still work if we remove globals.pl. So that's for later.
+
+# It's safe to use Bugzilla::Auth here because parameters have now been
+# defined.
+use Bugzilla::Auth;
+
# globals.pl clears the PATH, but File::Find uses Cwd::cwd() instead of
# Cwd::getcwd(), which we need to do because `pwd` isn't in the path - see
# http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2001-09/msg00115.html
"(login_name, cryptpassword," .
" disabledtext) VALUES (" .
$dbh->quote($name) .
- ", " . $dbh->quote(Crypt('okthen')) . ", " .
+ ", " . $dbh->quote(bz_crypt('okthen')) . ", " .
"'Account created only to maintain database integrity')");
$s2 = $dbh->prepare("SELECT LAST_INSERT_ID()");
$s2->execute();
print "Fixing password #1... ";
while (my ($userid, $password) = $sth->fetchrow_array()) {
- my $cryptpassword = $dbh->quote(Crypt($password));
+ my $cryptpassword = $dbh->quote(bz_crypt($password));
$dbh->do("UPDATE profiles SET cryptpassword = $cryptpassword WHERE userid = $userid");
++$i;
# Let the user know where we are at every 500 records.
}
# Crypt the administrator's password
- my $cryptedpassword = Crypt($pass1);
+ my $cryptedpassword = bz_crypt($pass1);
if ($^O !~ /MSWin32/i) {
system("stty","echo"); # re-enable input echoing
use Bugzilla;
use Bugzilla::User;
use Bugzilla::Constants;
+use Bugzilla::Auth;
# Shut up misguided -w warnings about "used only once". "use vars" just
# doesn't work for me.
"emailflags, disabledtext" .
" ) VALUES ( " .
SqlQuote($user) . "," .
- SqlQuote(Crypt($password)) . "," .
+ SqlQuote(bz_crypt($password)) . "," .
SqlQuote($realname) . "," .
SqlQuote(Bugzilla::Constants::DEFAULT_EMAIL_SETTINGS) . "," .
SqlQuote($disabledtext) . ")" );
if ( $editall && $password ) {
my $passworderror = ValidatePassword($password);
if ( !$passworderror ) {
- my $cryptpassword = SqlQuote(Crypt($password));
+ my $cryptpassword = SqlQuote(bz_crypt($password));
my $loginname = SqlQuote($userold);
SendSQL("UPDATE profiles
SET cryptpassword = $cryptpassword
# Bring ChmodDataFile in until this is all moved to the module
use Bugzilla::Config qw(:DEFAULT ChmodDataFile $localconfig $datadir);
use Bugzilla::BugMail;
+use Bugzilla::Auth;
# Shut up misguided -w warnings about "used only once". For some reason,
# "use vars" chokes on me when I try it here.
# Generate a new random password for the user.
my $password = GenerateRandomPassword();
- my $cryptpassword = Crypt($password);
+ my $cryptpassword = bz_crypt($password);
my $defaultflagstring = SqlQuote(Bugzilla::Constants::DEFAULT_EMAIL_SETTINGS);
}
}
-
-sub Crypt {
- # Crypts a password, generating a random salt to do it.
- # Random salts are generated because the alternative is usually
- # to use the first two characters of the password itself, and since
- # the salt appears in plaintext at the beginning of the crypted
- # password string this has the effect of revealing the first two
- # characters of the password to anyone who views the crypted version.
-
- my ($password) = @_;
-
- # The list of characters that can appear in a salt. Salts and hashes
- # are both encoded as a sequence of characters from a set containing
- # 64 characters, each one of which represents 6 bits of the salt/hash.
- # The encoding is similar to BASE64, the difference being that the
- # BASE64 plus sign (+) is replaced with a forward slash (/).
- my @saltchars = (0..9, 'A'..'Z', 'a'..'z', '.', '/');
-
- # Generate the salt. We use an 8 character (48 bit) salt for maximum
- # security on systems whose crypt uses MD5. Systems with older
- # versions of crypt will just use the first two characters of the salt.
- my $salt = '';
- for ( my $i=0 ; $i < 8 ; ++$i ) {
- $salt .= $saltchars[rand(64)];
- }
-
- # Crypt the password.
- my $cryptedpassword = crypt($password, $salt);
-
- # Return the crypted password.
- return $cryptedpassword;
-}
-
sub DBID_to_real_or_loginname {
my ($id) = (@_);
PushGlobalSQLState();
use Bugzilla;
use Bugzilla::Constants;
+use Bugzilla::Auth;
my $cgi = Bugzilla->cgi;
sub changePassword {
# Quote the password and token for inclusion into SQL statements.
- my $cryptedpassword = Crypt($cgi->param('password'));
+ my $cryptedpassword = bz_crypt($cgi->param('password'));
my $quotedpassword = SqlQuote($cryptedpassword);
# Get the user's ID from the tokens table.
use Bugzilla;
use Bugzilla::Constants;
use Bugzilla::Search;
+use Bugzilla::Auth;
require "CGI.pl";
|| ThrowUserError("new_password_missing");
ValidatePassword($pwd1, $pwd2);
- my $cryptedpassword = SqlQuote(Crypt($pwd1));
+ my $cryptedpassword = SqlQuote(bz_crypt($pwd1));
SendSQL("UPDATE profiles
SET cryptpassword = $cryptedpassword
WHERE userid = $userid");
projects / thirdparty / bugzilla.git / commitdiff
