Bug 119524: SECURITY: predictable sessionid (Use a token instead of logincookie) - Patch by Olav Vitters <bugzilla-mozilla@bkor.dhs.org> r=mkanat a=justdave

author: lpsolit%gmail.com <> 2006-01-03 23:44:53 +0100
committer: lpsolit%gmail.com <> 2006-01-03 23:44:53 +0100
commit: e16ca48833e9dd774a61eaab7ca32c44ce6a4276 (patch)
tree: fc19ca29fde4d73f039a38fd9c5f69373e5a5d63 /Bugzilla
parent: 093f6970ea0e8356b5f8a51ec916926fcb68b41f (diff)
download: bugzilla-e16ca48833e9dd774a61eaab7ca32c44ce6a4276.tar.gz
bugzilla-e16ca48833e9dd774a61eaab7ca32c44ce6a4276.tar.xz
3 files changed, 12 insertions, 6 deletions
diff --git a/Bugzilla/Auth/Login/WWW/CGI.pm b/Bugzilla/Auth/Login/WWW/CGI.pm
index 22b2bf1fb..17a9cfce6 100644
--- a/Bugzilla/Auth/Login/WWW/CGI.pm
+++ b/Bugzilla/Auth/Login/WWW/CGI.pm
@@ -35,6 +35,7 @@ use Bugzilla::Config;
 use Bugzilla::Constants;
 use Bugzilla::Error;
 use Bugzilla::Util;
+use Bugzilla::Token;
 
 sub login {
     my ($class, $type) = @_;
@@ -70,11 +71,12 @@ sub login {
         # subsequent login
         trick_taint($ipaddr);
 
-        $dbh->do("INSERT INTO logincookies (userid, ipaddr, lastused)
-                 VALUES (?, ?, NOW())",
+        my $logincookie = Bugzilla::Token::GenerateUniqueToken('logincookies', 'cookie');
+
+        $dbh->do("INSERT INTO logincookies (cookie, userid, ipaddr, lastused)
+                 VALUES (?, ?, ?, NOW())",
                  undef,
-                 $userid, $ipaddr);
-        my $logincookie = $dbh->bz_last_key('logincookies', 'cookie');
+                 $logincookie, $userid, $ipaddr);
 
         # Remember cookie only if admin has told so
         # or admin didn't forbid it and user told to remember.
diff --git a/Bugzilla/DB/Schema.pm b/Bugzilla/DB/Schema.pm
index 389462263..63b19578d 100644
--- a/Bugzilla/DB/Schema.pm
+++ b/Bugzilla/DB/Schema.pm
@@ -678,7 +678,7 @@ use constant ABSTRACT_SCHEMA => {
 
     logincookies => {
         FIELDS => [
-            cookie   => {TYPE => 'MEDIUMSERIAL', NOTNULL => 1,
+            cookie   => {TYPE => 'varchar(16)', NOTNULL => 1,
                          PRIMARYKEY => 1},
             userid   => {TYPE => 'INT3', NOTNULL => 1},
             ipaddr   => {TYPE => 'varchar(40)', NOTNULL => 1},
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 42dca47d6..dfc7be418 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -155,12 +155,16 @@ sub GenerateUniqueToken {
     # the token in the "tokens" table.  Gives up if it can't come up
     # with a token after about one hundred tries.
 
+    my ($table, $column) = @_;
+    
     my $token;
     my $duplicate = 1;
     my $tries = 0;
+    $table ||= "tokens";
+    $column ||= "token";
 
     my $dbh = Bugzilla->dbh;
-    my $sth = $dbh->prepare("SELECT userid FROM tokens WHERE token = ?");
+    my $sth = $dbh->prepare("SELECT userid FROM $table WHERE $column = ?");
 
     while ($duplicate) {
         ++$tries;
author	lpsolit%gmail.com <>	2006-01-03 23:44:53 +0100
committer	lpsolit%gmail.com <>	2006-01-03 23:44:53 +0100
commit	e16ca48833e9dd774a61eaab7ca32c44ce6a4276 (patch)
tree	fc19ca29fde4d73f039a38fd9c5f69373e5a5d63 /Bugzilla
parent	093f6970ea0e8356b5f8a51ec916926fcb68b41f (diff)
download	bugzilla-e16ca48833e9dd774a61eaab7ca32c44ce6a4276.tar.gz bugzilla-e16ca48833e9dd774a61eaab7ca32c44ce6a4276.tar.xz