From ca8760339069c50ccbdcf3d92e416f7d1522adf8 Mon Sep 17 00:00:00 2001
From: "terry%mozilla.org" <>
Date: Tue, 18 Jan 2000 22:40:18 +0000
Subject: [PATCH] Stop ever using perl's crypt() function; only use mysql's.
(Using both was causing corruption on about 1 in 40 passwords.)
---
CGI.pl | 5 ++++-
changepassword.cgi | 18 ++++++------------
editusers.cgi | 10 +---------
3 files changed, 11 insertions(+), 22 deletions(-)
diff --git a/CGI.pl b/CGI.pl
index 41667dd2cb..5f7a21f882 100644
--- a/CGI.pl
+++ b/CGI.pl
@@ -604,7 +604,10 @@ sub confirm_login {
exit;
}
- my $enteredcryptpwd = crypt($enteredpwd, substr($realcryptpwd, 0, 2));
+ SendSQL("SELECT encrypt(" . SqlQuote($enteredpwd) . ", " .
+ SqlQuote(substr($realcryptpwd, 0, 2)) . ")");
+ my $enteredcryptpwd = FetchOneColumn();
+
if ($realcryptpwd eq "" || $enteredcryptpwd ne $realcryptpwd) {
print "Content-type: text/html\n\n";
PutHeader("Login failed");
diff --git a/changepassword.cgi b/changepassword.cgi
index d62259ac5f..93b736e55b 100755
--- a/changepassword.cgi
+++ b/changepassword.cgi
@@ -102,11 +102,6 @@ The two passwords you entered did not match. Please click Back and try a
my $pwd = $::FORM{'pwd1'};
-sub x {
- my $sc="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./";
- return substr($sc, int (rand () * 100000) % (length ($sc) + 1), 1);
-}
-
if ($pwd ne "") {
if ($pwd !~ /^[a-zA-Z0-9-_]*$/ || length($pwd) < 3 || length($pwd) > 15) {
print "Sorry; we're picky.
@@ -119,14 +114,13 @@ Please click Back and try again.\n";
}
-# Generate a random salt.
-
- my $salt = x() . x();
-
- my $encrypted = crypt($pwd, $salt);
-
- SendSQL("update profiles set password='$pwd',cryptpassword='$encrypted' where login_name=" .
+ my $qpwd = SqlQuote($pwd);
+ SendSQL("UPDATE profiles SET password=$qpwd,cryptpassword=encrypt($qpwd)
+ WHERE login_name = " .
+ SqlQuote($::COOKIE{'Bugzilla_login'}));
+ SendSQL("SELECT cryptpassword FROM profiles WHERE login_name = " .
SqlQuote($::COOKIE{'Bugzilla_login'}));
+ my $encrypted = FetchOneColumn();
SendSQL("update logincookies set cryptpassword = '$encrypted' where cookie = $::COOKIE{'Bugzilla_logincookie'}");
}
diff --git a/editusers.cgi b/editusers.cgi
index ccb108e792..5b5d7e526f 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -277,21 +277,13 @@ if ($action eq 'new') {
}
- sub x {
- my $sc="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./";
- return substr($sc, int (rand () * 100000) % (length ($sc) + 1), 1);
- }
-
- my $salt = x() . x();
- my $cryptpassword = crypt($password, $salt);
-
# Add the new user
SendSQL("INSERT INTO profiles ( " .
"login_name, password, cryptpassword, realname, groupset" .
" ) VALUES ( " .
SqlQuote($user) . "," .
SqlQuote($password) . "," .
- SqlQuote($cryptpassword) . "," .
+ "encrypt(" . SqlQuote($password) . ")," .
SqlQuote($realname) . "," .
$bits . ")" );
--
2.47.2