proc PasswordForLogin {login} {
- SendSQL "select password from profiles where login_name = '[SqlQuote $login]'"
+ SendSQL "select cryptpassword from profiles where login_name = '[SqlQuote $login]'"
return [FetchSQLData]
}
proc confirm_login {{nexturl ""}} {
# puts "Content-type: text/plain\n"
- global FORM COOKIE argv0
+ global FORM COOKIE argv0 env
ConnectToDatabase
if { [info exists FORM(Bugzilla_login)] &&
[info exists FORM(Bugzilla_password)] } {
puts "<p>Please click <b>back</b> and try again."
exit
}
- set realpwd [PasswordForLogin $FORM(Bugzilla_login)]
+ set realcryptpwd [PasswordForLogin $FORM(Bugzilla_login)]
+ set enteredpwd $FORM(Bugzilla_password);
+ SendSQL "select encrypt('[SqlQuote $enteredpwd]','[crange $realcryptpwd 0 1]')";
+ set enteredcryptpwd [lindex [FetchSQLData] 0]
+
+
if {[info exists FORM(PleaseMailAPassword)]} {
- if {[cequal $realpwd ""]} {
+ if {[cequal $realcryptpwd ""]} {
set realpwd [InsertNewUser $FORM(Bugzilla_login)]
+ } else {
+ SendSQL "select password from profiles where login_name = '[SqlQuote $FORM(Bugzilla_login)]'"
+ set realpwd [lindex [FetchSQLData] 0]
}
set template "From: bugzilla-daemon
To: %s
To use the wonders of bugzilla, you can use the following:
-E-mail address: %s
- Password: %s
+ E-mail address: %s
+ Password: %s
-To change your password, go to:
-[Param urlbase]changepassword.cgi
+ To change your password, go to:
+ [Param urlbase]changepassword.cgi
-(Your bugzilla and CVS password, if any, are not currently synchronized.
-Top hackers are working around the clock to fix this, as you read this.)
+ (Your bugzilla and CVS password, if any, are not currently synchronized.
+ Top hackers are working around the clock to fix this, as you read this.)
"
+
set msg [format $template $FORM(Bugzilla_login) \
$FORM(Bugzilla_login) $realpwd]
exit
}
- if {[cequal $realpwd ""] || ![cequal $realpwd $FORM(Bugzilla_password)]} {
+ if {[cequal $realcryptpwd ""] || ![cequal $enteredcryptpwd $realcryptpwd]} {
puts "Content-type: text/html\n"
puts "<H1>Login failed.</H1>"
puts "The username or password you entered is not valid. Please"
exit
}
set COOKIE(Bugzilla_login) $FORM(Bugzilla_login)
- set COOKIE(Bugzilla_password) $FORM(Bugzilla_password)
+ SendSQL "insert into logincookies (userid,cryptpassword,hostname) values ([DBNameToIdAndCheck $FORM(Bugzilla_login)], '[SqlQuote $realcryptpwd]', '[SqlQuote $env(REMOTE_HOST)]')"
+ SendSQL "select LAST_INSERT_ID()"
+ set logincookie [FetchSQLData]
+
+
+
+
+ set COOKIE(Bugzilla_logincookie) $logincookie
puts "Set-Cookie: Bugzilla_login=$COOKIE(Bugzilla_login) ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT"
- puts "Set-Cookie: Bugzilla_password=$COOKIE(Bugzilla_password) ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT"
+ puts "Set-Cookie: Bugzilla_logincookie=$COOKIE(Bugzilla_logincookie) ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT"
+
+ # This next one just cleans out any old bugzilla passwords that may
+ # be sitting around in the cookie files, from the bad old days when
+ # we actually stored the password there.
+ puts "Set-Cookie: Bugzilla_password= ; path=/; expires=Sun, 30-Jun-80 00:00:00 GMT"
+
}
- set realpwd {}
+ set loginok 0
- if { [info exists COOKIE(Bugzilla_login)] && [info exists COOKIE(Bugzilla_password)] } {
- set realpwd [PasswordForLogin $COOKIE(Bugzilla_login)]
+ if { [info exists COOKIE(Bugzilla_login)] && [info exists COOKIE(Bugzilla_logincookie)] } {
+ SendSQL "select profiles.login_name = '[SqlQuote $COOKIE(Bugzilla_login)]' and profiles.cryptpassword = logincookies.cryptpassword and logincookies.hostname = '[SqlQuote $env(REMOTE_HOST)]' from profiles,logincookies where logincookies.cookie = $COOKIE(Bugzilla_logincookie) and profiles.userid = logincookies.userid"
+ set loginok [FetchSQLData]
}
- if {[cequal $realpwd ""] || ![cequal $realpwd $COOKIE(Bugzilla_password)]} {
+ if {$loginok != "1"} {
puts "Content-type: text/html\n"
puts "<H1>Please log in.</H1>"
puts "I need a legitimate e-mail address and password to continue."
here:<input type=submit value=\"E-mail me a password\"
name=PleaseMailAPassword>
</form>"
+
+ # This seems like as good as time as any to get rid of old
+ # crufty junk in the logincookies table. Get rid of any entry
+ # that hasn't been used in a month.
+ SendSQL "delete from logincookies where to_days(now()) - to_days(lastused) > 30"
+
exit
}
+
+ # Update the timestamp on our logincookie, so it'll keep on working.
+ SendSQL "update logincookies set lastused = null where cookie = $COOKIE(Bugzilla_logincookie)"
}
--- /dev/null
+#!/bin/sh
+#
+# The contents of this file are subject to the Mozilla Public License
+# Version 1.0 (the "License"); you may not use this file except in
+# compliance with the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS"
+# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
+# License for the specific language governing rights and limitations
+# under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are Copyright (C) 1998
+# Netscape Communications Corporation. All Rights Reserved.
+#
+# Contributor(s): Terry Weissman <terry@mozilla.org>
+
+mysql bugs > /dev/null 2>/dev/null << OK_ALL_DONE
+
+drop table logincookies;
+OK_ALL_DONE
+
+mysql bugs << OK_ALL_DONE
+
+create table logincookies (
+ cookie mediumint not null auto_increment primary key,
+ userid mediumint not null,
+ cryptpassword varchar(64),
+ hostname varchar(128),
+ lastused timestamp,
+ index(lastused)
+);
+
+show columns from logincookies;
+show index from logincookies;
+
+OK_ALL_DONE