From: Dave Lawrence <dlawrence@mozilla.com>
Date: Wed, 16 Oct 2013 16:12:27 +0000 (-0400)
Subject: Bug 907438 - In MySQL, login cookie checking is not case-sensitive, reducing total... 
X-Git-Tag: bugzilla-4.0.11~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6882db4431de0b3aa2c81e52d3c9221ffb292ca;p=thirdparty%2Fbugzilla.git

Bug 907438 - In MySQL, login cookie checking is not case-sensitive, reducing total entropy and allowing easier brute force
r=LpSolit,a=sgreen
---

diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm
index 91fb820fb5..de9188c64a 100644
--- a/Bugzilla/Auth/Login/Cookie.pm
+++ b/Bugzilla/Auth/Login/Cookie.pm
@@ -60,8 +60,8 @@ sub get_login_info {
         trick_taint($login_cookie);
         detaint_natural($user_id);
 
-        my $is_valid =
-          $dbh->selectrow_array('SELECT 1
+        my $db_cookie =
+          $dbh->selectrow_array('SELECT cookie
                                    FROM logincookies
                                   WHERE cookie = ?
                                         AND userid = ?
@@ -69,7 +69,7 @@ sub get_login_info {
                                  undef, ($login_cookie, $user_id, $ip_addr));
 
         # If the cookie is valid, return a valid username.
-        if ($is_valid) {
+        if (defined $db_cookie && $login_cookie eq $db_cookie) {
             # If we logged in successfully, then update the lastused 
             # time on the login cookie
             $dbh->do("UPDATE logincookies SET lastused = NOW()