summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Bugzilla/Install/DB.pm27
-rw-r--r--Bugzilla/Object.pm20
2 files changed, 46 insertions, 1 deletions
diff --git a/Bugzilla/Install/DB.pm b/Bugzilla/Install/DB.pm
index bb82f5e2d..8af0eeb12 100644
--- a/Bugzilla/Install/DB.pm
+++ b/Bugzilla/Install/DB.pm
@@ -745,6 +745,9 @@ sub update_table_definitions {
$dbh->bz_add_index('bz_schema', 'bz_schema_version_idx',
{FIELDS => ['version'], TYPE => 'UNIQUE'});
+ # 2015-12-16 LpSolit@gmail.com - Bug 1232578
+ _sanitize_audit_log_table();
+
################################################################
# New --TABLE-- changes should go *** A B O V E *** this point #
################################################################
@@ -3930,6 +3933,30 @@ sub _update_alias {
$dbh->bz_drop_column('bugs', 'alias');
}
+sub _sanitize_audit_log_table {
+ my $dbh = Bugzilla->dbh;
+
+ # Replace hashed passwords by a generic comment.
+ my $class = 'Bugzilla::User';
+ my $field = 'cryptpassword';
+
+ my $hashed_passwd =
+ $dbh->selectcol_arrayref('SELECT added FROM audit_log WHERE class = ? AND field = ?
+ AND ' . $dbh->sql_not_ilike('hashed_with_', 'added'),
+ undef, ($class, $field));
+ if (@$hashed_passwd) {
+ say "Sanitizing hashed passwords stored in the 'audit_log' table...";
+ my $sth = $dbh->prepare('UPDATE audit_log SET added = ?
+ WHERE class = ? AND field = ? AND added = ?');
+
+ foreach my $passwd (@$hashed_passwd) {
+ my (undef, $sanitized_passwd) =
+ Bugzilla::Object::_sanitize_audit_log($class, $field, [undef, $passwd]);
+ $sth->execute($sanitized_passwd, $class, $field, $passwd);
+ }
+ }
+}
+
1;
__END__
diff --git a/Bugzilla/Object.pm b/Bugzilla/Object.pm
index 8f25e2b20..d43c8ca34 100644
--- a/Bugzilla/Object.pm
+++ b/Bugzilla/Object.pm
@@ -599,11 +599,29 @@ sub audit_log {
foreach my $field (keys %$changes) {
# Skip private changes.
next if $field =~ /^_/;
- my ($from, $to) = @{ $changes->{$field} };
+ my ($from, $to) = $self->_sanitize_audit_log($field, $changes->{$field});
$sth->execute($user_id, $class, $self->id, $field, $from, $to);
}
}
+sub _sanitize_audit_log {
+ my ($self, $field, $changes) = @_;
+ my $class = ref($self) || $self;
+
+ # Do not store hashed passwords. Only record the algorithm used to encode them.
+ if ($class eq 'Bugzilla::User' && $field eq 'cryptpassword') {
+ foreach my $passwd (@$changes) {
+ next unless $passwd;
+ my $algorithm = 'unknown_algorithm';
+ if ($passwd =~ /{([^}]+)}$/) {
+ $algorithm = $1;
+ }
+ $passwd = "hashed_with_$algorithm";
+ }
+ }
+ return @$changes;
+}
+
sub flatten_to_hash {
my $self = shift;
my $class = blessed($self);