diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2015-12-16 22:22:26 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2015-12-16 22:22:26 +0100 |
| commit | 21b3145e8195a91846e76bc0556da176bae6e79d (patch) | |
| tree | 25c4a7a3198ca55151a5f7397d3d035af2a08906 /Bugzilla/Object.pm | |
| parent | f49412c1225ab261707d78e1e61bbf244939b36f (diff) | |
| download | bugzilla-21b3145e8195a91846e76bc0556da176bae6e79d.tar.gz bugzilla-21b3145e8195a91846e76bc0556da176bae6e79d.tar.xz | |
Bug 1232578: Do not save hashed passwords in audit_log
r=dkl
Diffstat (limited to 'Bugzilla/Object.pm')
| -rw-r--r-- | Bugzilla/Object.pm | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/Bugzilla/Object.pm b/Bugzilla/Object.pm index 8f25e2b20..d43c8ca34 100644 --- a/Bugzilla/Object.pm +++ b/Bugzilla/Object.pm @@ -599,11 +599,29 @@ sub audit_log { foreach my $field (keys %$changes) { # Skip private changes. next if $field =~ /^_/; - my ($from, $to) = @{ $changes->{$field} }; + my ($from, $to) = $self->_sanitize_audit_log($field, $changes->{$field}); $sth->execute($user_id, $class, $self->id, $field, $from, $to); } } +sub _sanitize_audit_log { + my ($self, $field, $changes) = @_; + my $class = ref($self) || $self; + + # Do not store hashed passwords. Only record the algorithm used to encode them. + if ($class eq 'Bugzilla::User' && $field eq 'cryptpassword') { + foreach my $passwd (@$changes) { + next unless $passwd; + my $algorithm = 'unknown_algorithm'; + if ($passwd =~ /{([^}]+)}$/) { + $algorithm = $1; + } + $passwd = "hashed_with_$algorithm"; + } + } + return @$changes; +} + sub flatten_to_hash { my $self = shift; my $class = blessed($self); |