diff options
| author | terry%mozilla.org <> | 2000-01-18 23:40:18 +0100 |
|---|---|---|
| committer | terry%mozilla.org <> | 2000-01-18 23:40:18 +0100 |
| commit | ca8760339069c50ccbdcf3d92e416f7d1522adf8 (patch) | |
| tree | e2386af360bc276ba659635b80075da04dd24ed4 | |
| parent | e908456f366483dcc915bafc7036733310ebc6e5 (diff) | |
| download | bugzilla-ca8760339069c50ccbdcf3d92e416f7d1522adf8.tar.gz bugzilla-ca8760339069c50ccbdcf3d92e416f7d1522adf8.tar.xz | |
Stop ever using perl's crypt() function; only use mysql's. (Using
both was causing corruption on about 1 in 40 passwords.)
| -rw-r--r-- | CGI.pl | 5 | ||||
| -rwxr-xr-x | changepassword.cgi | 18 | ||||
| -rwxr-xr-x | editusers.cgi | 10 |
3 files changed, 11 insertions, 22 deletions
@@ -604,7 +604,10 @@ sub confirm_login { exit; } - my $enteredcryptpwd = crypt($enteredpwd, substr($realcryptpwd, 0, 2)); + SendSQL("SELECT encrypt(" . SqlQuote($enteredpwd) . ", " . + SqlQuote(substr($realcryptpwd, 0, 2)) . ")"); + my $enteredcryptpwd = FetchOneColumn(); + if ($realcryptpwd eq "" || $enteredcryptpwd ne $realcryptpwd) { print "Content-type: text/html\n\n"; PutHeader("Login failed"); diff --git a/changepassword.cgi b/changepassword.cgi index d62259ac5..93b736e55 100755 --- a/changepassword.cgi +++ b/changepassword.cgi @@ -102,11 +102,6 @@ The two passwords you entered did not match. Please click <b>Back</b> and try a my $pwd = $::FORM{'pwd1'}; -sub x { - my $sc="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./"; - return substr($sc, int (rand () * 100000) % (length ($sc) + 1), 1); -} - if ($pwd ne "") { if ($pwd !~ /^[a-zA-Z0-9-_]*$/ || length($pwd) < 3 || length($pwd) > 15) { print "<H1>Sorry; we're picky.</H1> @@ -119,14 +114,13 @@ Please click <b>Back</b> and try again.\n"; } -# Generate a random salt. - - my $salt = x() . x(); - - my $encrypted = crypt($pwd, $salt); - - SendSQL("update profiles set password='$pwd',cryptpassword='$encrypted' where login_name=" . + my $qpwd = SqlQuote($pwd); + SendSQL("UPDATE profiles SET password=$qpwd,cryptpassword=encrypt($qpwd) + WHERE login_name = " . + SqlQuote($::COOKIE{'Bugzilla_login'})); + SendSQL("SELECT cryptpassword FROM profiles WHERE login_name = " . SqlQuote($::COOKIE{'Bugzilla_login'})); + my $encrypted = FetchOneColumn(); SendSQL("update logincookies set cryptpassword = '$encrypted' where cookie = $::COOKIE{'Bugzilla_logincookie'}"); } diff --git a/editusers.cgi b/editusers.cgi index ccb108e79..5b5d7e526 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -277,21 +277,13 @@ if ($action eq 'new') { } - sub x { - my $sc="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./"; - return substr($sc, int (rand () * 100000) % (length ($sc) + 1), 1); - } - - my $salt = x() . x(); - my $cryptpassword = crypt($password, $salt); - # Add the new user SendSQL("INSERT INTO profiles ( " . "login_name, password, cryptpassword, realname, groupset" . " ) VALUES ( " . SqlQuote($user) . "," . SqlQuote($password) . "," . - SqlQuote($cryptpassword) . "," . + "encrypt(" . SqlQuote($password) . ")," . SqlQuote($realname) . "," . $bits . ")" ); |