Bug 300410: Bugzilla::Auth needs to be restructured to not require a BEGIN block

Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=myk

1 files changed, 83 insertions, 0 deletions

diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm
new file mode 100644
index 000000000..e4cc0daac
--- /dev/null
+++ b/Bugzilla/Auth/Login/Cookie.pm
@@ -0,0 +1,83 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# Contributor(s): Bradley Baetz <bbaetz@acm.org>
+#                 Max Kanat-Alexander <mkanat@bugzilla.org>
+
+package Bugzilla::Auth::Login::Cookie;
+use strict;
+use base qw(Bugzilla::Auth::Login);
+
+use Bugzilla::Auth;
+use Bugzilla::Constants;
+use Bugzilla::User;
+use Bugzilla::Util;
+
+use constant requires_persistence  => 0;
+use constant requires_verification => 0;
+use constant can_login => 0;
+
+# Note that Cookie never consults the Verifier, it always assumes
+# it has a valid DB account or it fails.
+sub get_login_info {
+    my ($self) = @_;
+    my $cgi = Bugzilla->cgi;
+    my $dbh = Bugzilla->dbh;
+
+    my $ip_addr      = $cgi->remote_addr();
+    my $net_addr     = Bugzilla::Auth::get_netaddr($ip_addr);
+    my $login_cookie = $cgi->cookie("Bugzilla_logincookie");
+    my $user_id      = $cgi->cookie("Bugzilla_login");
+
+    if ($login_cookie && $user_id) {
+        # Anything goes for these params - they're just strings which
+        # we're going to verify against the db
+        trick_taint($ip_addr);
+        trick_taint($login_cookie);
+        detaint_natural($user_id);
+
+        my $query = "SELECT userid
+                       FROM logincookies
+                      WHERE logincookies.cookie = ?
+                            AND logincookies.userid = ?
+                            AND (logincookies.ipaddr = ?";
+
+        # If we have a network block that's allowed to use this cookie,
+        # as opposed to just a single IP.
+        my @params = ($login_cookie, $user_id, $ip_addr);
+        if (defined $net_addr) {
+            trick_taint($net_addr);
+            $query .= " OR logincookies.ipaddr = ?";
+            push(@params, $net_addr);
+        }
+        $query .= ")";
+
+        # If the cookie is valid, return a valid username.
+        if ($dbh->selectrow_array($query, undef, @params)) {
+            # If we logged in successfully, then update the lastused 
+            # time on the login cookie
+            $dbh->do("UPDATE logincookies SET lastused = NOW() 
+                       WHERE cookie = ?", undef, $login_cookie);
+            return { user_id => $user_id };
+        }
+    }
+
+    # Either the he cookie is invalid, or we got no cookie. We don't want 
+    # to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to 
+    # actually throw an error when it gets a bad cookie. It should just 
+    # look like there was no cokie to begin with.
+    return { failure => AUTH_NODATA };
+}
+
+1;