Bug 1179856 - Increase length of logincookie value for greater security

author Dylan William Hardison <dylan@hardison.net>

Tue, 28 Jul 2015 20:21:26 +0000 (16:21 -0400)

committer Dylan William Hardison <dylan@hardison.net>

Tue, 28 Jul 2015 20:22:46 +0000 (16:22 -0400)
author Dylan William Hardison <dylan@hardison.net>
Tue, 28 Jul 2015 20:21:26 +0000 (16:21 -0400)
committer Dylan William Hardison <dylan@hardison.net>
Tue, 28 Jul 2015 20:22:46 +0000 (16:22 -0400)
diff --git a/Bugzilla/DB/Schema.pm b/Bugzilla/DB/Schema.pm

index 3d904ba8b8fbdcaa0d948f50dfe7c6190b1817c1..5d5d52508d97ca87a32cc0f54e74036814a14ec5 100644 (file)
--- a/Bugzilla/DB/Schema.pm
+++ b/Bugzilla/DB/Schema.pm
@@ -1148,7 +1148,7 @@ use constant ABSTRACT_SCHEMA => {
  
      logincookies => {
          FIELDS => [
-            cookie   => {TYPE => 'varchar(16)', NOTNULL => 1,
+            cookie   => {TYPE => 'varchar(22)', NOTNULL => 1,
                           PRIMARYKEY => 1},
              userid   => {TYPE => 'INT3', NOTNULL => 1,
                           REFERENCES => {TABLE  => 'profiles',
@@ -1190,7 +1190,7 @@ use constant ABSTRACT_SCHEMA => {
                                                           COLUMN => 'userid',
                                                           DELETE => 'CASCADE'}},
              issuedate => {TYPE => 'DATETIME', NOTNULL => 1} ,
-            token     => {TYPE => 'varchar(16)', NOTNULL => 1,
+            token     => {TYPE => 'varchar(22)', NOTNULL => 1,
                            PRIMARYKEY => 1},
              tokentype => {TYPE => 'varchar(16)', NOTNULL => 1} ,
              eventdata => {TYPE => 'TINYTEXT'},
diff --git a/Bugzilla/Install/DB.pm b/Bugzilla/Install/DB.pm

index 5761d1963c78e880300bf937032b38d1c3ae7a49..26f68aab05325ddce8b6e4cc8fce2956ee58fe21 100644 (file)
--- a/Bugzilla/Install/DB.pm
+++ b/Bugzilla/Install/DB.pm
@@ -739,6 +739,12 @@ sub update_table_definitions {
      $dbh->bz_add_column('keyworddefs', 'is_active',
                          {TYPE => 'BOOLEAN', NOTNULL => 1, DEFAULT => 'TRUE'});
  
+    # 2015-07-25 dylan@mozilla.com - Bug 1179856
+    $dbh->bz_alter_column('tokens', 'token',
+                          {TYPE => 'varchar(22)', NOTNULL => 1, PRIMARYKEY => 1});
+    $dbh->bz_alter_column('logincookies', 'cookie',
+                          {TYPE => 'varchar(22)', NOTNULL => 1, PRIMARYKEY => 1});
+
      ################################################################
      # New --TABLE-- changes should go *** A B O V E *** this point #
      ################################################################
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm

index 1f8e7bc1721bce7b160e016a6ed674c39005959e..67a201b53f68ec9d1c6f00ba4342f0fadd0cfc73 100644 (file)
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -29,6 +29,11 @@ use parent qw(Exporter);
                                check_token_data delete_token
                                issue_hash_token check_hash_token);
  
+# 128 bits password:
+# 128 * log10(2) / log10(62) = 21.49, round up to 22.
+# 62 = 0-9, a-z, A-Z.
+use constant TOKEN_LENGTH => 22;
+
  ################################################################################
  # Public Functions
  ################################################################################
@@ -289,7 +294,7 @@ sub GenerateUniqueToken {
          if ($tries > 100) {
              ThrowCodeError("token_generation_error");
          }
-        $token = generate_random_password();
+        $token = generate_random_password(TOKEN_LENGTH);
          $sth->execute($token);
          $duplicate = $sth->fetchrow_array;
      }
author	Dylan William Hardison <dylan@hardison.net>
	Tue, 28 Jul 2015 20:21:26 +0000 (16:21 -0400)
committer	Dylan William Hardison <dylan@hardison.net>
	Tue, 28 Jul 2015 20:22:46 +0000 (16:22 -0400)
Bugzilla/DB/Schema.pm		patch \| blob \| blame \| history
Bugzilla/Install/DB.pm		patch \| blob \| blame \| history
Bugzilla/Token.pm		patch \| blob \| blame \| history