diff options
| author | justdave%syndicomm.com <> | 2001-07-11 14:29:16 +0200 |
|---|---|---|
| committer | justdave%syndicomm.com <> | 2001-07-11 14:29:16 +0200 |
| commit | 022265211b1a3b3dad3fcf679756392c3eb6a285 (patch) | |
| tree | 79c99d0bea86b527395b4aac32a37eef739c67dc /userprefs.cgi | |
| parent | f208e298e2ac9836c8138449a0691f6deb850c4a (diff) | |
| download | bugzilla-022265211b1a3b3dad3fcf679756392c3eb6a285.tar.gz bugzilla-022265211b1a3b3dad3fcf679756392c3eb6a285.tar.xz | |
Fix for bug 77473, bug 74032, and bug 85472: Passwords are no longer stored in plaintext in the database. Passwords are no longer encrypted with MySQL's ENCRYPT() function (because it doesn't work on some installs), but with Perl's crypt() function. The crypt-related routines now properly deal with salts so that they work on systems that use methods other than UNIX crypt to crypt the passwords (such as MD5). Checksetup.pl will walk through your database and re-crypt everyone's passwords based on the plaintext password entry, then drop the plaintext password column. As a consequence of no longer having a plaintext password, it is no longer possible to email someone their password, so the login screen has been changed to request a password reset instead. The user is emailed a temporary identifying token, with a link back to Bugzilla. They click on the link or paste it into their browser and Bugzilla allows them to change their password.
Patch by Myk Melez <myk@mozilla.org>
r= justdave@syndicomm.com, jake@acutex.net
Diffstat (limited to 'userprefs.cgi')
| -rwxr-xr-x | userprefs.cgi | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/userprefs.cgi b/userprefs.cgi index f880cf8e2..0eeda0e71 100755 --- a/userprefs.cgi +++ b/userprefs.cgi @@ -148,9 +148,12 @@ sub SaveAccount { my $old = SqlQuote($::FORM{'Bugzilla_password'}); my $pwd1 = SqlQuote($::FORM{'pwd1'}); my $pwd2 = SqlQuote($::FORM{'pwd2'}); - SendSQL("SELECT cryptpassword = ENCRYPT($old, LEFT(cryptpassword, 2)) " . - "FROM profiles WHERE userid = $userid"); - if (!FetchOneColumn()) { + SendSQL("SELECT cryptpassword FROM profiles WHERE userid = $userid"); + my $oldcryptedpwd = FetchOneColumn(); + if ( !$oldcryptedpwd ) { + Error("I was unable to retrieve your old password from the database."); + } + if ( crypt($::FORM{'Bugzilla_password'}, $oldcryptedpwd) ne $oldcryptedpwd ) { Error("You did not enter your old password correctly."); } if ($pwd1 ne $pwd2) { @@ -159,9 +162,13 @@ sub SaveAccount { if ($::FORM{'pwd1'} eq '') { Error("You must enter a new password."); } - SendSQL("UPDATE profiles SET password = $pwd1, " . - "cryptpassword = ENCRYPT($pwd1) " . - "WHERE userid = $userid"); + my $passworderror = ValidatePassword($::FORM{'pwd1'}); + Error($passworderror) if $passworderror; + + my $cryptedpassword = SqlQuote(Crypt($::FORM{'pwd1'})); + SendSQL("UPDATE profiles + SET cryptpassword = $cryptedpassword + WHERE userid = $userid"); } SendSQL("UPDATE profiles SET " . "realname = " . SqlQuote($::FORM{'realname'}) . |