Bug 399073: Remove the 'loginnetmask' parameter - Patch by FrÃ©dÃ©ric Buclin <LpSolit@gmail.com> r/a=mkanat

author: lpsolit%gmail.com <> 2009-10-19 01:34:57 +0200
committer: lpsolit%gmail.com <> 2009-10-19 01:34:57 +0200
commit: a7310a522e4ac2b24d01f0cdf44e132d0db8f73b (patch)
tree: f6a86028d5e5db61948e4103c2c4d4ebf1ccfb7f /Bugzilla/Auth
parent: da262b500fba8bd50d40a358670a6ac2a88b9056 (diff)
download: bugzilla-a7310a522e4ac2b24d01f0cdf44e132d0db8f73b.tar.gz
bugzilla-a7310a522e4ac2b24d01f0cdf44e132d0db8f73b.tar.xz
2 files changed, 14 insertions, 26 deletions
diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm
index e2cd8f5ee..0b002168e 100644
--- a/Bugzilla/Auth/Login/Cookie.pm
+++ b/Bugzilla/Auth/Login/Cookie.pm
@@ -36,7 +36,6 @@ sub get_login_info {
     my $dbh = Bugzilla->dbh;
 
     my $ip_addr      = $cgi->remote_addr();
-    my $net_addr     = get_netaddr($ip_addr);
     my $login_cookie = $cgi->cookie("Bugzilla_logincookie");
     my $user_id      = $cgi->cookie("Bugzilla_login");
 
@@ -60,24 +59,16 @@ sub get_login_info {
         trick_taint($login_cookie);
         detaint_natural($user_id);
 
-        my $query = "SELECT userid
-                       FROM logincookies
-                      WHERE logincookies.cookie = ?
-                            AND logincookies.userid = ?
-                            AND (logincookies.ipaddr = ?";
-
-        # If we have a network block that's allowed to use this cookie,
-        # as opposed to just a single IP.
-        my @params = ($login_cookie, $user_id, $ip_addr);
-        if (defined $net_addr) {
-            trick_taint($net_addr);
-            $query .= " OR logincookies.ipaddr = ?";
-            push(@params, $net_addr);
-        }
-        $query .= ")";
+        my $is_valid =
+          $dbh->selectrow_array('SELECT 1
+                                   FROM logincookies
+                                  WHERE cookie = ?
+                                        AND userid = ?
+                                        AND (ipaddr = ? OR ipaddr IS NULL)',
+                                 undef, ($login_cookie, $user_id, $ip_addr));
 
         # If the cookie is valid, return a valid username.
-        if ($dbh->selectrow_array($query, undef, @params)) {
+        if ($is_valid) {
             # If we logged in successfully, then update the lastused 
             # time on the login cookie
             $dbh->do("UPDATE logincookies SET lastused = NOW() 
diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm
index 60f90925e..4458e31b5 100644
--- a/Bugzilla/Auth/Persist/Cookie.pm
+++ b/Bugzilla/Auth/Persist/Cookie.pm
@@ -49,17 +49,14 @@ sub persist_login {
     my $dbh = Bugzilla->dbh;
     my $cgi = Bugzilla->cgi;
 
-    my $ip_addr = $cgi->remote_addr;
-    unless ($cgi->param('Bugzilla_restrictlogin') ||
-            Bugzilla->params->{'loginnetmask'} == 32) 
-    {
-        $ip_addr = get_netaddr($ip_addr);
+    my $ip_addr;
+    if ($cgi->param('Bugzilla_restrictlogin')) {
+        $ip_addr = $cgi->remote_addr;
+        # The IP address is valid, at least for comparing with itself in a
+        # subsequent login
+        trick_taint($ip_addr);
     }
 
-    # The IP address is valid, at least for comparing with itself in a
-    # subsequent login
-    trick_taint($ip_addr);
-
     $dbh->bz_start_transaction();
 
     my $login_cookie =
author	lpsolit%gmail.com <>	2009-10-19 01:34:57 +0200
committer	lpsolit%gmail.com <>	2009-10-19 01:34:57 +0200
commit	a7310a522e4ac2b24d01f0cdf44e132d0db8f73b (patch)
tree	f6a86028d5e5db61948e4103c2c4d4ebf1ccfb7f /Bugzilla/Auth
parent	da262b500fba8bd50d40a358670a6ac2a88b9056 (diff)
download	bugzilla-a7310a522e4ac2b24d01f0cdf44e132d0db8f73b.tar.gz bugzilla-a7310a522e4ac2b24d01f0cdf44e132d0db8f73b.tar.xz