Bug 399073: Remove the 'loginnetmask' parameter - Patch by FrÃ©dÃ©ric Buclin <LpSolit@gmail.com> r/a=mkanat

author: lpsolit%gmail.com <> 2009-10-19 01:34:57 +0200
committer: lpsolit%gmail.com <> 2009-10-19 01:34:57 +0200
commit: a7310a522e4ac2b24d01f0cdf44e132d0db8f73b (patch)
tree: f6a86028d5e5db61948e4103c2c4d4ebf1ccfb7f /Bugzilla
parent: da262b500fba8bd50d40a358670a6ac2a88b9056 (diff)
download: bugzilla-a7310a522e4ac2b24d01f0cdf44e132d0db8f73b.tar.gz
bugzilla-a7310a522e4ac2b24d01f0cdf44e132d0db8f73b.tar.xz
7 files changed, 30 insertions, 82 deletions
diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm
index e2cd8f5ee..0b002168e 100644
--- a/Bugzilla/Auth/Login/Cookie.pm
+++ b/Bugzilla/Auth/Login/Cookie.pm
@@ -36,7 +36,6 @@ sub get_login_info {
     my $dbh = Bugzilla->dbh;
 
     my $ip_addr      = $cgi->remote_addr();
-    my $net_addr     = get_netaddr($ip_addr);
     my $login_cookie = $cgi->cookie("Bugzilla_logincookie");
     my $user_id      = $cgi->cookie("Bugzilla_login");
 
@@ -60,24 +59,16 @@ sub get_login_info {
         trick_taint($login_cookie);
         detaint_natural($user_id);
 
-        my $query = "SELECT userid
-                       FROM logincookies
-                      WHERE logincookies.cookie = ?
-                            AND logincookies.userid = ?
-                            AND (logincookies.ipaddr = ?";
-
-        # If we have a network block that's allowed to use this cookie,
-        # as opposed to just a single IP.
-        my @params = ($login_cookie, $user_id, $ip_addr);
-        if (defined $net_addr) {
-            trick_taint($net_addr);
-            $query .= " OR logincookies.ipaddr = ?";
-            push(@params, $net_addr);
-        }
-        $query .= ")";
+        my $is_valid =
+          $dbh->selectrow_array('SELECT 1
+                                   FROM logincookies
+                                  WHERE cookie = ?
+                                        AND userid = ?
+                                        AND (ipaddr = ? OR ipaddr IS NULL)',
+                                 undef, ($login_cookie, $user_id, $ip_addr));
 
         # If the cookie is valid, return a valid username.
-        if ($dbh->selectrow_array($query, undef, @params)) {
+        if ($is_valid) {
             # If we logged in successfully, then update the lastused 
             # time on the login cookie
             $dbh->do("UPDATE logincookies SET lastused = NOW() 
diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm
index 60f90925e..4458e31b5 100644
--- a/Bugzilla/Auth/Persist/Cookie.pm
+++ b/Bugzilla/Auth/Persist/Cookie.pm
@@ -49,17 +49,14 @@ sub persist_login {
     my $dbh = Bugzilla->dbh;
     my $cgi = Bugzilla->cgi;
 
-    my $ip_addr = $cgi->remote_addr;
-    unless ($cgi->param('Bugzilla_restrictlogin') ||
-            Bugzilla->params->{'loginnetmask'} == 32) 
-    {
-        $ip_addr = get_netaddr($ip_addr);
+    my $ip_addr;
+    if ($cgi->param('Bugzilla_restrictlogin')) {
+        $ip_addr = $cgi->remote_addr;
+        # The IP address is valid, at least for comparing with itself in a
+        # subsequent login
+        trick_taint($ip_addr);
     }
 
-    # The IP address is valid, at least for comparing with itself in a
-    # subsequent login
-    trick_taint($ip_addr);
-
     $dbh->bz_start_transaction();
 
     my $login_cookie = 
diff --git a/Bugzilla/Config/Auth.pm b/Bugzilla/Config/Auth.pm
index cbd94617a..1af808eaa 100644
--- a/Bugzilla/Config/Auth.pm
+++ b/Bugzilla/Config/Auth.pm
@@ -91,13 +91,6 @@ sub get_param_list {
   },
 
   {
-   name => 'loginnetmask',
-   type => 't',
-   default => '0',
-   checker => \&check_netmask
-  },
-
-  {
    name => 'requirelogin',
    type => 'b',
    default => '0'
diff --git a/Bugzilla/Config/Common.pm b/Bugzilla/Config/Common.pm
index 90a5a6c76..b722795d4 100644
--- a/Bugzilla/Config/Common.pm
+++ b/Bugzilla/Config/Common.pm
@@ -47,7 +47,7 @@ use base qw(Exporter);
     qw(check_multi check_numeric check_regexp check_url check_group
        check_sslbase check_priority check_severity check_platform
        check_opsys check_shadowdb check_urlbase check_webdotbase
-       check_netmask check_user_verify_class
+       check_user_verify_class
        check_mail_delivery_method check_notification check_utf8
        check_bug_status check_smtp_auth check_theschwartz_available
        check_maxattachmentsize
@@ -248,21 +248,6 @@ sub check_webdotbase {
     return "";
 }
 
-sub check_netmask {
-    my ($mask) = @_;
-    my $res = check_numeric($mask);
-    return $res if $res;
-    if ($mask < 0 || $mask > 32) {
-        return "an IPv4 netmask must be between 0 and 32 bits";
-    }
-    # Note that if we changed the netmask from anything apart from 32, then
-    # existing logincookies which aren't for a single IP won't work
-    # any more. We can't know which ones they are, though, so they'll just
-    # take space until they're periodically cleared, later.
-
-    return "";
-}
-
 sub check_user_verify_class {
     # doeditparams traverses the list of params, and for each one it checks,
     # then updates. This means that if one param checker wants to look at 
diff --git a/Bugzilla/DB/Schema.pm b/Bugzilla/DB/Schema.pm
index 2bd95d501..c5003f798 100644
--- a/Bugzilla/DB/Schema.pm
+++ b/Bugzilla/DB/Schema.pm
@@ -974,7 +974,7 @@ use constant ABSTRACT_SCHEMA => {
                          REFERENCES => {TABLE  => 'profiles',
                                         COLUMN => 'userid',
                                         DELETE => 'CASCADE'}},
-            ipaddr   => {TYPE => 'varchar(40)', NOTNULL => 1},
+            ipaddr   => {TYPE => 'varchar(40)'},
             lastused => {TYPE => 'DATETIME', NOTNULL => 1},
         ],
         INDEXES => [
diff --git a/Bugzilla/Install/DB.pm b/Bugzilla/Install/DB.pm
index e6b577526..df6296056 100644
--- a/Bugzilla/Install/DB.pm
+++ b/Bugzilla/Install/DB.pm
@@ -580,6 +580,9 @@ sub update_table_definitions {
     # 2009-09-28 LpSolit@gmail.com - Bug 519032
     $dbh->bz_drop_column('series', 'last_viewed');
 
+    # 2009-09-28 LpSolit@gmail.com - Bug 399073
+    _fix_logincookies_ipaddr();
+
     ################################################################
     # New --TABLE-- changes should go *** A B O V E *** this point #
     ################################################################
@@ -1249,7 +1252,7 @@ sub _use_ip_instead_of_hostname_in_logincookies {
         # Now update the logincookies schema
         $dbh->bz_drop_column("logincookies", "hostname");
         $dbh->bz_add_column("logincookies", "ipaddr",
-                            {TYPE => 'varchar(40)', NOTNULL => 1}, '');
+                            {TYPE => 'varchar(40)'});
     }
 }
 
@@ -3207,6 +3210,15 @@ sub _convert_disallownew_to_isactive {
     }
 }
 
+sub _fix_logincookies_ipaddr {
+    my $dbh = Bugzilla->dbh;
+    return if !$dbh->bz_column_info('logincookies', 'ipaddr')->{NOTNULL};
+
+    $dbh->bz_alter_column('logincookies', 'ipaddr', {TYPE => 'varchar(40)'});
+    $dbh->do('UPDATE logincookies SET ipaddr = NULL WHERE ipaddr = ?',
+             undef, '0.0.0.0');
+}
+
 1;
 
 __END__
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 90525b9d4..a36b22c37 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -35,7 +35,7 @@ use base qw(Exporter);
                              detaint_signed
                              html_quote url_quote xml_quote
                              css_class_quote html_light_quote url_decode
-                             i_am_cgi get_netaddr correct_urlbase
+                             i_am_cgi correct_urlbase
                              lsearch do_ssl_redirect_if_required use_attachbase
                              diff_arrays
                              trim wrap_hard wrap_comment find_wrap_point
@@ -601,28 +601,6 @@ sub get_text {
     return $message;
 }
 
-
-sub get_netaddr {
-    my $ipaddr = shift;
-
-    # Check for a valid IPv4 addr which we know how to parse
-    if (!$ipaddr || $ipaddr !~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/) {
-        return undef;
-    }
-
-    my $addr = unpack("N", pack("CCCC", split(/\./, $ipaddr)));
-
-    my $maskbits = Bugzilla->params->{'loginnetmask'};
-
-    # Make Bugzilla ignore the IP address if loginnetmask is set to 0
-    return "0.0.0.0" if ($maskbits == 0);
-
-    $addr >>= (32-$maskbits);
-
-    $addr <<= (32-$maskbits);
-    return join(".", unpack("CCCC", pack("N", $addr)));
-}
-
 sub disable_utf8 {
     if (Bugzilla->params->{'utf8'}) {
         binmode STDOUT, ':bytes'; # Turn off UTF8 encoding.
@@ -657,7 +635,6 @@ Bugzilla::Util - Generic utility functions for bugzilla
 
   # Functions that tell you about your environment
   my $is_cgi   = i_am_cgi();
-  my $net_addr = get_netaddr($ip_addr);
   my $urlbase  = correct_urlbase();
 
   # Functions for searching
@@ -788,13 +765,6 @@ Tells you whether or not you are being run as a CGI script in a web
 server. For example, it would return false if the caller is running
 in a command-line script.
 
-=item C<get_netaddr($ipaddr)>
-
-Given an IP address, this returns the associated network address, using
-C<Bugzilla->params->{'loginnetmask'}> as the netmask. This can be used
-to obtain data in order to restrict weak authentication methods (such as
-cookies) to only some addresses.
-
 =item C<correct_urlbase()>
 
 Returns either the C<sslbase> or C<urlbase> parameter, depending on the
author	lpsolit%gmail.com <>	2009-10-19 01:34:57 +0200
committer	lpsolit%gmail.com <>	2009-10-19 01:34:57 +0200
commit	a7310a522e4ac2b24d01f0cdf44e132d0db8f73b (patch)
tree	f6a86028d5e5db61948e4103c2c4d4ebf1ccfb7f /Bugzilla
parent	da262b500fba8bd50d40a358670a6ac2a88b9056 (diff)
download	bugzilla-a7310a522e4ac2b24d01f0cdf44e132d0db8f73b.tar.gz bugzilla-a7310a522e4ac2b24d01f0cdf44e132d0db8f73b.tar.xz