my $dbh = Bugzilla->dbh;
my $ip_addr = $cgi->remote_addr();
- my $net_addr = get_netaddr($ip_addr);
my $login_cookie = $cgi->cookie("Bugzilla_logincookie");
my $user_id = $cgi->cookie("Bugzilla_login");
trick_taint($login_cookie);
detaint_natural($user_id);
- my $query = "SELECT userid
- FROM logincookies
- WHERE logincookies.cookie = ?
- AND logincookies.userid = ?
- AND (logincookies.ipaddr = ?";
-
- # If we have a network block that's allowed to use this cookie,
- # as opposed to just a single IP.
- my @params = ($login_cookie, $user_id, $ip_addr);
- if (defined $net_addr) {
- trick_taint($net_addr);
- $query .= " OR logincookies.ipaddr = ?";
- push(@params, $net_addr);
- }
- $query .= ")";
+ my $is_valid =
+ $dbh->selectrow_array('SELECT 1
+ FROM logincookies
+ WHERE cookie = ?
+ AND userid = ?
+ AND (ipaddr = ? OR ipaddr IS NULL)',
+ undef, ($login_cookie, $user_id, $ip_addr));
# If the cookie is valid, return a valid username.
- if ($dbh->selectrow_array($query, undef, @params)) {
+ if ($is_valid) {
# If we logged in successfully, then update the lastused
# time on the login cookie
$dbh->do("UPDATE logincookies SET lastused = NOW()
my $dbh = Bugzilla->dbh;
my $cgi = Bugzilla->cgi;
- my $ip_addr = $cgi->remote_addr;
- unless ($cgi->param('Bugzilla_restrictlogin') ||
- Bugzilla->params->{'loginnetmask'} == 32)
- {
- $ip_addr = get_netaddr($ip_addr);
+ my $ip_addr;
+ if ($cgi->param('Bugzilla_restrictlogin')) {
+ $ip_addr = $cgi->remote_addr;
+ # The IP address is valid, at least for comparing with itself in a
+ # subsequent login
+ trick_taint($ip_addr);
}
- # The IP address is valid, at least for comparing with itself in a
- # subsequent login
- trick_taint($ip_addr);
-
$dbh->bz_start_transaction();
my $login_cookie =
checker => \&check_multi
},
- {
- name => 'loginnetmask',
- type => 't',
- default => '0',
- checker => \&check_netmask
- },
-
{
name => 'requirelogin',
type => 'b',
qw(check_multi check_numeric check_regexp check_url check_group
check_sslbase check_priority check_severity check_platform
check_opsys check_shadowdb check_urlbase check_webdotbase
- check_netmask check_user_verify_class
+ check_user_verify_class
check_mail_delivery_method check_notification check_utf8
check_bug_status check_smtp_auth check_theschwartz_available
check_maxattachmentsize
return "";
}
-sub check_netmask {
- my ($mask) = @_;
- my $res = check_numeric($mask);
- return $res if $res;
- if ($mask < 0 || $mask > 32) {
- return "an IPv4 netmask must be between 0 and 32 bits";
- }
- # Note that if we changed the netmask from anything apart from 32, then
- # existing logincookies which aren't for a single IP won't work
- # any more. We can't know which ones they are, though, so they'll just
- # take space until they're periodically cleared, later.
-
- return "";
-}
-
sub check_user_verify_class {
# doeditparams traverses the list of params, and for each one it checks,
# then updates. This means that if one param checker wants to look at
REFERENCES => {TABLE => 'profiles',
COLUMN => 'userid',
DELETE => 'CASCADE'}},
- ipaddr => {TYPE => 'varchar(40)', NOTNULL => 1},
+ ipaddr => {TYPE => 'varchar(40)'},
lastused => {TYPE => 'DATETIME', NOTNULL => 1},
],
INDEXES => [
# 2009-09-28 LpSolit@gmail.com - Bug 519032
$dbh->bz_drop_column('series', 'last_viewed');
+ # 2009-09-28 LpSolit@gmail.com - Bug 399073
+ _fix_logincookies_ipaddr();
+
################################################################
# New --TABLE-- changes should go *** A B O V E *** this point #
################################################################
# Now update the logincookies schema
$dbh->bz_drop_column("logincookies", "hostname");
$dbh->bz_add_column("logincookies", "ipaddr",
- {TYPE => 'varchar(40)', NOTNULL => 1}, '');
+ {TYPE => 'varchar(40)'});
}
}
}
}
+sub _fix_logincookies_ipaddr {
+ my $dbh = Bugzilla->dbh;
+ return if !$dbh->bz_column_info('logincookies', 'ipaddr')->{NOTNULL};
+
+ $dbh->bz_alter_column('logincookies', 'ipaddr', {TYPE => 'varchar(40)'});
+ $dbh->do('UPDATE logincookies SET ipaddr = NULL WHERE ipaddr = ?',
+ undef, '0.0.0.0');
+}
+
1;
__END__
detaint_signed
html_quote url_quote xml_quote
css_class_quote html_light_quote url_decode
- i_am_cgi get_netaddr correct_urlbase
+ i_am_cgi correct_urlbase
lsearch do_ssl_redirect_if_required use_attachbase
diff_arrays
trim wrap_hard wrap_comment find_wrap_point
return $message;
}
-
-sub get_netaddr {
- my $ipaddr = shift;
-
- # Check for a valid IPv4 addr which we know how to parse
- if (!$ipaddr || $ipaddr !~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/) {
- return undef;
- }
-
- my $addr = unpack("N", pack("CCCC", split(/\./, $ipaddr)));
-
- my $maskbits = Bugzilla->params->{'loginnetmask'};
-
- # Make Bugzilla ignore the IP address if loginnetmask is set to 0
- return "0.0.0.0" if ($maskbits == 0);
-
- $addr >>= (32-$maskbits);
-
- $addr <<= (32-$maskbits);
- return join(".", unpack("CCCC", pack("N", $addr)));
-}
-
sub disable_utf8 {
if (Bugzilla->params->{'utf8'}) {
binmode STDOUT, ':bytes'; # Turn off UTF8 encoding.
# Functions that tell you about your environment
my $is_cgi = i_am_cgi();
- my $net_addr = get_netaddr($ip_addr);
my $urlbase = correct_urlbase();
# Functions for searching
server. For example, it would return false if the caller is running
in a command-line script.
-=item C<get_netaddr($ipaddr)>
-
-Given an IP address, this returns the associated network address, using
-C<Bugzilla->params->{'loginnetmask'}> as the netmask. This can be used
-to obtain data in order to restrict weak authentication methods (such as
-cookies) to only some addresses.
-
=item C<correct_urlbase()>
Returns either the C<sslbase> or C<urlbase> parameter, depending on the
<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
-<!-- $Id: troubleshooting.xml,v 1.11 2008/04/04 06:48:23 uid623 Exp $ -->
+<!-- $Id: troubleshooting.xml,v 1.14 2009/10/18 23:35:00 lpsolit%gmail.com Exp $ -->
<appendix id="troubleshooting">
<title>Troubleshooting</title>
<para>If you have made it all the way through
<xref linkend="installation"/> (Installation) and
<xref linkend="configuration"/> (Configuration) but accessing the Bugzilla
- URL doesn't work, the first thing to do is to check your webserver error
+ URL doesn't work, the first thing to do is to check your web server error
log. For Apache, this is often located at
<filename>/etc/logs/httpd/error_log</filename>. The error messages
you see may be self-explanatory enough to enable you to diagnose and
<para>
Bugzilla can also log all user-based errors (and many code-based errors)
- that occur, without polluting the web server error log. To enable
+ that occur, without polluting the web server's error log. To enable
Bugzilla error logging, create a file that Bugzilla can write to, named
<filename>errorlog</filename>, in the Bugzilla <filename>data</filename>
directory. Errors will be logged as they occur, and will include the type
</section>
<section id="trbl-testserver">
- <title>The Apache webserver is not serving Bugzilla pages</title>
+ <title>The Apache web server is not serving Bugzilla pages</title>
<para>After you have run <command>checksetup.pl</command> twice,
run <command>testserver.pl http://yoursite.yourdomain/yoururl</command>
- to confirm that your webserver is configured properly for
+ to confirm that your web server is configured properly for
Bugzilla.
</para>
<programlisting>
</para>
</listitem>
<listitem>
- <para>The permissions on your library directories are set incorrectly.
- They must, at the very least, be readable by the webserver user or
- group. It is recommended that they be world readable.
+
<para>The permissions on your library directories are set incorrectly.
+ They must, at the very least, be readable by the web server user or
+ group. It is recommended that they be world readable.
</para>
</listitem>
</orderedlist>
</para>
</section>
- <section id="trouble-filetemp">
- <title>Your vendor has not defined Fcntl macro O_NOINHERIT</title>
-
- <para>This is caused by a bug in the version of
- <productname>File::Temp</productname> that is distributed with perl
- 5.6.0. Many minor variations of this error have been reported:
- </para>
-
- <programlisting>Your vendor has not defined Fcntl macro O_NOINHERIT, used
-at /usr/lib/perl5/site_perl/5.6.0/File/Temp.pm line 208.
-
-Your vendor has not defined Fcntl macro O_EXLOCK, used
-at /usr/lib/perl5/site_perl/5.6.0/File/Temp.pm line 210.
-
-Your vendor has not defined Fcntl macro O_TEMPORARY, used
-at /usr/lib/perl5/site_perl/5.6.0/File/Temp.pm line 233.</programlisting>
-
- <para>Numerous people have reported that upgrading to version 5.6.1
- or higher solved the problem for them. A less involved fix is to apply
- the following patch, which is also
- available as a <ulink url="../xml/filetemp.patch">patch file</ulink>.
- </para>
-
- <programlisting><![CDATA[--- File/Temp.pm.orig Thu Feb 6 16:26:00 2003
-+++ File/Temp.pm Thu Feb 6 16:26:23 2003
-@@ -205,6 +205,7 @@
- # eg CGI::Carp
- local $SIG{__DIE__} = sub {};
- local $SIG{__WARN__} = sub {};
-+ local *CORE::GLOBAL::die = sub {};
- $bit = &$func();
- 1;
- };
-@@ -226,6 +227,7 @@
- # eg CGI::Carp
- local $SIG{__DIE__} = sub {};
- local $SIG{__WARN__} = sub {};
-+ local *CORE::GLOBAL::die = sub {};
- $bit = &$func();
- 1;
- };]]></programlisting>
- </section>
-
<section id="trbl-relogin-everyone">
<title>Everybody is constantly being forced to relogin</title>
<para>The most-likely cause is that the <quote>cookiepath</quote> parameter
is not set correctly in the Bugzilla configuration. You can change this (if
- you're a Bugzilla administrator) from the editparams.cgi page via the web.
+ you're a Bugzilla administrator) from the editparams.cgi page via the web interface.
</para>
<para>The value of the cookiepath parameter should be the actual directory
</para>
</section>
- <section id="trbl-relogin-some">
- <title>Some users are constantly being forced to relogin</title>
-
- <para>First, make sure cookies are enabled in the user's browser.
- </para>
-
- <para>If that doesn't fix the problem, it may be that the user's ISP
- implements a rotating proxy server. This causes the user's effective IP
- address (the address which the Bugzilla server perceives him coming from)
- to change periodically. Since Bugzilla cookies are tied to a specific IP
- address, each time the effective address changes, the user will have to
- log in again.
- </para>
-
- <para>If you are using 2.18 (or later), there is a
- parameter called <quote>loginnetmask</quote>, which you can use to set
- the number of bits of the user's IP address to require to be matched when
- authenticating the cookies. If you set this to something less than 32,
- then the user will be given a checkbox for <quote>Restrict this login to
- my IP address</quote> on the login screen, which defaults to checked. If
- they leave the box checked, Bugzilla will behave the same as it did
- before, requiring an exact match on their IP address to remain logged in.
- If they uncheck the box, then only the left side of their IP address (up
- to the number of bits you specified in the parameter) has to match to
- remain logged in.
- </para>
-
- </section>
-
<section id="trbl-index">
<title><filename>index.cgi</filename> doesn't show up unless specified in the URL</title>
<para>
</tr>
[% END %]
- [% IF Param('loginnetmask') < 32 %]
- <tr>
- <th> </th>
- <td>
- <input type="checkbox" id="Bugzilla_restrictlogin" name="Bugzilla_restrictlogin"
- checked="checked">
- <label for="Bugzilla_restrictlogin">Restrict this session to this IP address
- (using this option improves security)</label>
- </td>
- </tr>
- [% END %]
+ <tr>
+ <th> </th>
+ <td>
+ <input type="checkbox" id="Bugzilla_restrictlogin" name="Bugzilla_restrictlogin"
+ checked="checked">
+ <label for="Bugzilla_restrictlogin">Restrict this session to this IP address
+ (using this option improves security)</label>
+ </td>
+ </tr>
</table>
[% PROCESS "global/hidden-fields.html.tmpl"
</li>
</ul>",
- loginnetmask => "The number of bits for the netmask used if a user chooses to " _
- "allow a login to be valid for more than a single IP. Setting " _
- "this to 32 disables this feature.<br> " _
- "Note that enabling this may decrease the security of your system.",
-
requirelogin => "If this option is set, all access to the system beyond the " _
"front page will require a login. No anonymous users will " _
"be permitted.",
projects / thirdparty / bugzilla.git / commitdiff
