diff options
| author | terry%netscape.com <> | 1998-09-03 03:52:48 +0200 |
|---|---|---|
| committer | terry%netscape.com <> | 1998-09-03 03:52:48 +0200 |
| commit | 968e9d7a88eeb91e635b88b7e5ae5b795e0b4225 (patch) | |
| tree | 48fd47f41237d9436e4d066be67a869ca4769992 /changepassword.cgi | |
| parent | a40c093d9249b8afcf14a4eccc02127d0bd18a08 (diff) | |
| download | bugzilla-968e9d7a88eeb91e635b88b7e5ae5b795e0b4225.tar.gz bugzilla-968e9d7a88eeb91e635b88b7e5ae5b795e0b4225.tar.xz | |
Changed the way password validation works. We now keep a
crypt'd version of the password in the database, and check against
that. (This is silly, because we're also keeping the plaintext
version there, but I have plans...) Stop passing the plaintext
password around as a cookie; instead, we have a cookie that references
a record in a new database table, logincookies.
IMPORTANT: if updating from an older version of Bugzilla, you must run
the following commands to keep things working:
./makelogincookiestable.sh
echo "alter table profiles add column cryptpassword varchar(64);" | mysql bugs
echo "update profiles set cryptpassword = encrypt(password,substring(rand(),3, 4));" | mysql bugs
Diffstat (limited to 'changepassword.cgi')
| -rwxr-xr-x | changepassword.cgi | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/changepassword.cgi b/changepassword.cgi index 2e0a4f06a..9e031bb16 100755 --- a/changepassword.cgi +++ b/changepassword.cgi @@ -66,7 +66,11 @@ Please click <b>Back</b> and try again." puts "Content-type: text/html\n" -SendSQL "update profiles set password='$pwd' where login_name='[SqlQuote $COOKIE(Bugzilla_login)]'" +SendSQL "select encrypt('$pwd')" +set encrypted [lindex [FetchSQLData] 0] + +SendSQL "update profiles set password='$pwd',cryptpassword='$encrypted' where login_name='[SqlQuote $COOKIE(Bugzilla_login)]'" +SendSQL "update logincookies set cryptpassword = '$encrypted' where cookie = $COOKIE(Bugzilla_logincookie)" puts "<H1>OK, done.</H1> Your new password has been set. |