summaryrefslogtreecommitdiffstats
path: root/Bugzilla/Auth/Login
diff options
context:
space:
mode:
authorbugreport%peshkin.net <>2004-07-12 12:48:45 +0200
committerbugreport%peshkin.net <>2004-07-12 12:48:45 +0200
commitabdd4eba8b321e66d9a86d2d3592893f69632618 (patch)
tree305a5c0f7857f37f576b0969dc46f9ff2950b14a /Bugzilla/Auth/Login
parentce983f5d751e61c5500eac45e5db29eee7309520 (diff)
downloadbugzilla-abdd4eba8b321e66d9a86d2d3592893f69632618.tar.gz
bugzilla-abdd4eba8b321e66d9a86d2d3592893f69632618.tar.xz
Backing out bug 241900
Diffstat (limited to 'Bugzilla/Auth/Login')
-rw-r--r--Bugzilla/Auth/Login/CGI.pm254
-rw-r--r--Bugzilla/Auth/Login/CGI/Cookie.pm115
2 files changed, 0 insertions, 369 deletions
diff --git a/Bugzilla/Auth/Login/CGI.pm b/Bugzilla/Auth/Login/CGI.pm
deleted file mode 100644
index 2f8ca071d..000000000
--- a/Bugzilla/Auth/Login/CGI.pm
+++ /dev/null
@@ -1,254 +0,0 @@
-# -*- Mode: perl; indent-tabs-mode: nil -*-
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-#
-# The Original Code is the Bugzilla Bug Tracking System.
-#
-# The Initial Developer of the Original Code is Netscape Communications
-# Corporation. Portions created by Netscape are
-# Copyright (C) 1998 Netscape Communications Corporation. All
-# Rights Reserved.
-#
-# Contributor(s): Terry Weissman <terry@mozilla.org>
-# Dan Mosedale <dmose@mozilla.org>
-# Joe Robins <jmrobins@tgix.com>
-# Dave Miller <justdave@syndicomm.com>
-# Christopher Aillon <christopher@aillon.com>
-# Gervase Markham <gerv@gerv.net>
-# Christian Reis <kiko@async.com.br>
-# Bradley Baetz <bbaetz@acm.org>
-# Erik Stambaugh <erik@dasbistro.com>
-
-package Bugzilla::Auth::Login::CGI;
-
-use strict;
-
-use Bugzilla::Config;
-use Bugzilla::Constants;
-use Bugzilla::Error;
-use Bugzilla::Util;
-
-sub login {
- my ($class, $type) = @_;
-
- # 'NORMAL' logins depend on the 'requirelogin' param
- if ($type == LOGIN_NORMAL) {
- $type = Param('requirelogin') ? LOGIN_REQUIRED : LOGIN_OPTIONAL;
- }
-
- my $cgi = Bugzilla->cgi;
-
- # First, try the actual login method against form variables
- my $username = $cgi->param("Bugzilla_login");
- my $passwd = $cgi->param("Bugzilla_password");
-
- my $authmethod = Param("user_verify_method");
- my ($authres, $userid, $extra, $info) =
- Bugzilla::Auth->authenticate($username, $passwd);
-
- if ($authres == AUTH_OK) {
- # Login via username/password was correct and valid, so create
- # and send out the login cookies
- my $ipaddr = $cgi->remote_addr;
- unless ($cgi->param('Bugzilla_restrictlogin') ||
- Param('loginnetmask') == 32) {
- $ipaddr = Bugzilla::Auth::get_netaddr($ipaddr);
- }
-
- # The IP address is valid, at least for comparing with itself in a
- # subsequent login
- trick_taint($ipaddr);
-
- my $dbh = Bugzilla->dbh;
- $dbh->do("INSERT INTO logincookies (userid, ipaddr) VALUES (?, ?)",
- undef,
- $userid, $ipaddr);
- my $logincookie = $dbh->selectrow_array("SELECT LAST_INSERT_ID()");
-
- # Remember cookie only if admin has told so
- # or admin didn't forbid it and user told to remember.
- if ((Param('rememberlogin') eq 'on') ||
- ((Param('rememberlogin') ne 'off') &&
- ($cgi->param('Bugzilla_remember') eq 'on'))) {
- $cgi->send_cookie(-name => 'Bugzilla_login',
- -value => $userid,
- -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
- $cgi->send_cookie(-name => 'Bugzilla_logincookie',
- -value => $logincookie,
- -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
-
- }
- else {
- $cgi->send_cookie(-name => 'Bugzilla_login',
- -value => $userid);
- $cgi->send_cookie(-name => 'Bugzilla_logincookie',
- -value => $logincookie);
-
- }
- }
- elsif ($authres == AUTH_NODATA) {
- # No data from the form, so try to login via cookies
- $username = $cgi->cookie("Bugzilla_login");
- $passwd = $cgi->cookie("Bugzilla_logincookie");
-
- require Bugzilla::Auth::Login::CGI::Cookie;
- my $authmethod = "Cookie";
-
- ($authres, $userid, $extra) =
- Bugzilla::Auth::Login::CGI::Cookie->authenticate($username, $passwd);
-
- # If the data for the cookie was incorrect, then treat that as
- # NODATA. This could occur if the user's IP changed, for example.
- # Give them un-loggedin access if allowed (checked below)
- $authres = AUTH_NODATA if $authres == AUTH_LOGINFAILED;
- }
-
- # Now check the result
-
- # An error may have occurred with the login mechanism
- if ($authres == AUTH_ERROR) {
- ThrowCodeError("auth_err",
- { authmethod => lc($authmethod),
- userid => $userid,
- auth_err_tag => $extra,
- info => $info
- });
- }
-
- # We can load the page if the login was ok, or there was no data
- # but a login wasn't required
- if ($authres == AUTH_OK ||
- ($authres == AUTH_NODATA && $type == LOGIN_OPTIONAL)) {
-
- # login succeded, so we're done
- return $userid;
- }
-
- # No login details were given, but we require a login if the
- # page does
- if ($authres == AUTH_NODATA && $type == LOGIN_REQUIRED) {
- # Throw up the login page
-
- print Bugzilla->cgi->header();
-
- my $template = Bugzilla->template;
- $template->process("account/auth/login.html.tmpl",
- { 'target' => $cgi->url(-relative=>1),
- 'form' => \%::FORM,
- 'mform' => \%::MFORM,
- 'caneditaccount' => Bugzilla::Auth->can_edit->{'new'},
- }
- )
- || ThrowTemplateError($template->error());
-
- # This seems like as good as time as any to get rid of old
- # crufty junk in the logincookies table. Get rid of any entry
- # that hasn't been used in a month.
- Bugzilla->dbh->do("DELETE FROM logincookies " .
- "WHERE TO_DAYS(NOW()) - TO_DAYS(lastused) > 30");
-
- exit;
- }
-
- # The username/password may be wrong
- # Don't let the user know whether the username exists or whether
- # the password was just wrong. (This makes it harder for a cracker
- # to find account names by brute force)
- if ($authres == AUTH_LOGINFAILED) {
- ThrowUserError("invalid_username_or_password");
- }
-
- # The account may be disabled
- if ($authres == AUTH_DISABLED) {
- # Clear the cookie
-
- $cgi->send_cookie(-name => 'Bugzilla_login',
- -expires => "Tue, 15-Sep-1998 21:49:00 GMT");
- $cgi->send_cookie(-name => 'Bugzilla_logincookie',
- -expires => "Tue, 15-Sep-1998 21:49:00 GMT");
-
- # and throw a user error
- ThrowUserError("account_disabled",
- {'disabled_reason' => $extra});
- }
-
- # If we get here, then we've run out of options, which shouldn't happen
- ThrowCodeError("authres_unhandled", { authres => $authres,
- type => $type, });
-}
-
-# Logs user out, according to the option provided; this consists of
-# removing entries from logincookies for the specified $user.
-sub logout {
- my ($class, $user, $option) = @_;
- my $dbh = Bugzilla->dbh;
- $option = LOGOUT_ALL unless defined $option;
-
- if ($option == LOGOUT_ALL) {
- $dbh->do("DELETE FROM logincookies WHERE userid = ?",
- undef, $user->id);
- return;
- }
-
- # The LOGOUT_*_CURRENT options require a cookie
- my $cookie = Bugzilla->cgi->cookie("Bugzilla_logincookie");
- detaint_natural($cookie);
-
- # These queries use both the cookie ID and the user ID as keys. Even
- # though we know the userid must match, we still check it in the SQL
- # as a sanity check, since there is no locking here, and if the user
- # logged out from two machines simultaneously, while someone else
- # logged in and got the same cookie, we could be logging the other
- # user out here. Yes, this is very very very unlikely, but why take
- # chances? - bbaetz
- if ($option == LOGOUT_KEEP_CURRENT) {
- $dbh->do("DELETE FROM logincookies WHERE cookie != ? AND userid = ?",
- undef, $cookie, $user->id);
- } elsif ($option == LOGOUT_CURRENT) {
- $dbh->do("DELETE FROM logincookies WHERE cookie = ? AND userid = ?",
- undef, $cookie, $user->id);
- } else {
- die("Invalid option $option supplied to logout()");
- }
-}
-
-sub clear_browser_cookies {
- my $cgi = Bugzilla->cgi;
- $cgi->send_cookie(-name => "Bugzilla_login",
- -expires => "Tue, 15-Sep-1998 21:49:00 GMT");
- $cgi->send_cookie(-name => "Bugzilla_logincookie",
- -expires => "Tue, 15-Sep-1998 21:49:00 GMT");
-}
-
-1;
-
-__END__
-
-=head1 NAME
-
-Bugzilla::Auth::Login::CGI - CGI-based logins for Bugzilla
-
-=head1 SUMMARY
-
-This is a L<login module|Bugzilla::Auth/"LOGIN"> for Bugzilla. Users connecting
-from a CGI script use this module to authenticate. Logouts are also handled here.
-
-=head1 BEHAVIOUR
-
-Users are first authenticated against the default authentication handler,
-using the CGI parameters I<Bugzilla_login> and I<Bugzilla_password>.
-
-If no data is present for that, then cookies are tried, using
-L<Bugzilla::Auth::Login::CGI::Cookie>.
-
-=head1 SEE ALSO
-
-L<Bugzilla::Auth>
diff --git a/Bugzilla/Auth/Login/CGI/Cookie.pm b/Bugzilla/Auth/Login/CGI/Cookie.pm
deleted file mode 100644
index 9c0e2e566..000000000
--- a/Bugzilla/Auth/Login/CGI/Cookie.pm
+++ /dev/null
@@ -1,115 +0,0 @@
-# -*- Mode: perl; indent-tabs-mode: nil -*-
-#
-# The contents of this file are subject to the Mozilla Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/MPL/
-#
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-#
-# The Original Code is the Bugzilla Bug Tracking System.
-#
-# The Initial Developer of the Original Code is Netscape Communications
-# Corporation. Portions created by Netscape are
-# Copyright (C) 1998 Netscape Communications Corporation. All
-# Rights Reserved.
-#
-# Contributor(s): Terry Weissman <terry@mozilla.org>
-# Dan Mosedale <dmose@mozilla.org>
-# Joe Robins <jmrobins@tgix.com>
-# Dave Miller <justdave@syndicomm.com>
-# Christopher Aillon <christopher@aillon.com>
-# Gervase Markham <gerv@gerv.net>
-# Christian Reis <kiko@async.com.br>
-# Bradley Baetz <bbaetz@acm.org>
-
-package Bugzilla::Auth::Login::CGI::Cookie;
-
-use strict;
-
-use Bugzilla::Auth;
-use Bugzilla::Config;
-use Bugzilla::Constants;
-use Bugzilla::Util;
-
-sub authenticate {
- my ($class, $login, $login_cookie) = @_;
-
- return (AUTH_NODATA) unless defined $login && defined $login_cookie;
-
- my $cgi = Bugzilla->cgi;
-
- my $ipaddr = $cgi->remote_addr();
- my $netaddr = Bugzilla::Auth::get_netaddr($ipaddr);
-
- # Anything goes for these params - they're just strings which
- # we're going to verify against the db
- trick_taint($login);
- trick_taint($login_cookie);
- trick_taint($ipaddr);
-
- my $query = "SELECT profiles.userid, profiles.disabledtext " .
- "FROM logincookies, profiles " .
- "WHERE logincookies.cookie=? AND " .
- " logincookies.userid=profiles.userid AND " .
- " logincookies.userid=? AND " .
- " (logincookies.ipaddr=?";
- if (defined $netaddr) {
- trick_taint($netaddr);
- $query .= " OR logincookies.ipaddr=?";
- }
- $query .= ")";
-
- my $dbh = Bugzilla->dbh;
- my ($userid, $disabledtext) = $dbh->selectrow_array($query, undef,
- $login_cookie,
- $login,
- $ipaddr,
- $netaddr);
-
- return (AUTH_DISABLED, $userid, $disabledtext)
- if ($disabledtext);
-
- if ($userid) {
- # If we logged in successfully, then update the lastused time on the
- # login cookie
- $dbh->do("UPDATE logincookies SET lastused=NULL WHERE cookie=?",
- undef,
- $login_cookie);
-
- return (AUTH_OK, $userid);
- }
-
- # If we get here, then the login failed.
- return (AUTH_LOGINFAILED);
-}
-
-1;
-
-__END__
-
-=head1 NAME
-
-Bugzilla::Auth::Login::CGI::Cookie - cookie authentication for Bugzilla
-
-=head1 SUMMARY
-
-This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for
-Bugzilla, which logs the user in using a persistent cookie stored in the
-C<logincookies> table.
-
-The actual password is not stored in the cookie; only the userid and a
-I<logincookie> (which is used to reverify the login without requiring the
-password to be sent over the network) are. These I<logincookies> are
-restricted to certain IP addresses as a security meaure. The exact
-restriction can be specified by the admin via the C<loginnetmask> parameter.
-
-This module does not ever send a cookie (It has no way of knowing when a user
-is successfully logged in). Instead L<Bugzilla::Auth::Login::CGI> handles this.
-
-=head1 SEE ALSO
-
-L<Bugzilla::Auth>, L<Bugzilla::Auth::Login::CGI>