summaryrefslogtreecommitdiffstats
path: root/Bugzilla/Auth
AgeCommit message (Collapse)AuthorFilesLines
2017-09-15Bug 1391702 - Replace Bugzilla::User::validate_password() with calls to ↵Dylan William Hardison2-8/+10
Data::Password::passwdqc
2017-07-07Bug 1377933 - Remove trailing whitespace from all perl filesDylan William Hardison9-27/+27
2016-09-13Bug 1283930 - Add Makefile.PL & local/lib/perl5 support to bmo/master + ↵Dylan William Hardison12-225/+98
local symlink to data/ directory
2016-09-12Revert "Bug 1283930 - Add Makefile.PL & local/lib/perl5 support to ↵Dylan William Hardison12-98/+225
bmo/master + local symlink to data/ directory" This reverts commit e6bf4cacb10f86077fe898349485f5c7ab9fb4b6.
2016-09-12Bug 1283930 - Add Makefile.PL & local/lib/perl5 support to bmo/master + ↵Dylan William Hardison12-225/+98
local symlink to data/ directory
2016-05-19Bug 1262039 - typo in error message "Failed to retreive components..."David Lawrence1-1/+1
2016-05-03Bug 1269236 - Incorrect checking of API tokens possibly leads to CSRF and ↵Dylan Hardison1-9/+6
data disclosure vulnerability for insecure accounts
2016-03-15Bug 1229834 - extend information we [audit] log to the syslogDylan Hardison1-0/+10
2015-11-05Bug 1196743 - Fix information disclosure vulnerability that allows attacker ↵Dylan Hardison1-0/+2
to obtain victim's GitHub OAuth return code
2015-09-01Bug 1197073 - add support for 2fa using totp (eg. google authenticator)Byron Jones2-1/+22
2015-08-25Bug 1197699 - always store the ip address in the logincookies tableByron Jones2-12/+8
2015-08-24Bug 1192687 - add the ability for users to view and revoke existing sessionsDylan William Hardison1-1/+10
2015-08-11Bug 1184332 - Add Restricted API calls for MozReviewDylan William Hardison1-0/+13
2015-04-24Bug 1157395: CSRF in log in formDavid Lawrence1-5/+38
2015-03-26Bug 1147550: Minimum password length handler not trusted by password changeByron Jones1-4/+13
2015-03-09Bug 1140966: backport bug 1139257 to bmo (allow cookie+api-token GET REST ↵Byron Jones1-8/+18
requests)
2015-01-29Bug 1045145: backport upstream bug 726696 to bmo/4.2 to allow use of api ↵David Lawrence2-1/+68
keys for authentication
2014-11-14Bug 1097813: backport upstream bug 1001462 to bmo/4.2 to fix issue with ↵David Lawrence3-3/+4
using tokens with webservice rest api
2014-11-04Bug 1093622: Backout bug 1090427 for causing: authenticated calls from bzapi ↵Byron Jones1-37/+4
are failing: 'Untrusted Authentication Request'
2014-11-04Bug 1090427: Backport bug 713926 to bmo/4.2 to protect against csrf for ↵David Lawrence1-4/+37
login forms
2014-05-20Bug 1009017: users are unable to log in if their password needs to be ↵Byron Jones1-1/+3
re-encrypted and their password does not match the current complexity rule
2014-03-04Bug 966180: backport bug 956233 to bmo (enable USE_MEMCACHE on most objects)Byron Jones2-2/+7
2013-12-31merged with bugzilla/4.2Dave Lawrence1-1/+2
2013-12-21Bug 748095: Bugzilla crashes when the shutdownhtml parameter is set and ↵Frédéric Buclin1-1/+1
using a non-cookie based authentication method r=dkl a=justdave
2013-10-25Bug 921523 - backport upstream bug 917669 to bmo/4.2 to throw error when ↵Dave Lawrence1-7/+10
invalid cookies/tokens are used with webservices
2013-10-17merged with bugzilla/4.2Dave Lawrence1-3/+3
2013-10-16Bug 907438 - In MySQL, login cookie checking is not case-sensitive, reducing ↵Dave Lawrence1-3/+3
total entropy and allowing easier brute force r=LpSolit,a=sgreen
2013-09-27Revert Bug 917669 - invalid or expired authentication tokens and cookies ↵Dave Lawrence1-13/+8
should throw errors, not be silently ignored
2013-09-26Bug 917669 - invalid or expired authentication tokens and cookies should ↵Dave Lawrence1-8/+13
throw errors, not be silently ignored
2013-08-29Bug 909634 - backport upstream bug 893195 to bmo/4.2 for token auth support ↵Dave Lawrence3-23/+79
in webservices
2012-08-30Bug 785470: (CVE-2012-3981) [SECURITY] Missing escaping of the username can ↵Reed Loden1-0/+2
lead to LDAP injection r/a=LpSolit
2011-11-18Make Login/Stack.pm refuse to continue down the stack if an Auth method ↵Gervase Markham1-2/+8
returns an explicit failure. r=dkl, a=mkanat. https://bugzilla.mozilla.org/show_bug.cgi?id=698423
2011-05-06Bug 653713: editusers.cgi crashes when editing a user profileJochen Wiedmann1-1/+4
r/a=mkanat
2011-04-28Bug 423612 - Allow editing extern_id for users from the admin interfaceJochen Wiedmann5-0/+30
r=mkanat, a=mkanat
2010-10-15Bug 604522: t/012throwables.t doesn't catch new user errors correctlyFrédéric Buclin1-2/+2
r/a=mkanat
2010-10-14Bug 575947: Users with passwords length less than 6 characters can't login ↵Frédéric Buclin1-0/+6
after migration from 3.4.x or older to 3.6 or newer r/a=mkanat
2010-10-07Bug 602165: Change sql_interval to sql_date_math, in preparation forMax Kanat-Alexander1-2/+3
MS-SQL and SQLite support.
2010-04-22Bug 550732: Allow read-only JSON-RPC methods to be called with GETMax Kanat-Alexander4-0/+16
r=dkl, a=mkanat
2010-03-24Bug 553770: Make the JSON-RPC WebService throw a proper error when you don'tMax Kanat-Alexander1-4/+2
provide login credentials on a LOGIN_REQUIRED page. (Before this, it was attempting to display the HTML login page to JSON-RPC clients.) r=dkl, a=mkanat
2010-02-01Fix the data in the bzr repo to match the data in the CVS repo.Max Kanat-Alexander1-0/+0
During the CVS imports into Bzr, there were some inconsistencies introduced (mostly that files that were deleted in CVS weren't being deleted in Bzr). So this checkin makes the bzr repo actually consistent with the CVS repo, including fixing permissions of files.
2010-01-05Bug 467992: Login fails if the user's LDAP account is denied search in LDAP ↵lpsolit%gmail.com1-5/+28
- Patch by Adam Batkin <adam@batkin.net> r/a=mkanat
2009-12-31Bug 527586: Use X-Forwarded-For instead of REMOTE_ADDR for trusted proxiesmkanat%bugzilla.org2-2/+2
Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat
2009-12-31Bug 385606: Logincookies are recreated at each HTTP request when using the ↵lpsolit%gmail.com1-0/+1
'Env' auth method - Patch by Frédéric Buclin <LpSolit@gmail.com> r/a=mkanat
2009-12-13Bug 355283: Lock out a user account on a particular IP for 30 minutes if ↵mkanat%bugzilla.org1-16/+30
they fail to log in 5 times from that IP. Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=LpSolit
2009-11-24Bug 430014: Re-write the code hooks system so that it uses modules instead ↵mkanat%bugzilla.org2-2/+2
of individual .pl files Patch by Max Kanat-Alexander <mkanat@bugzilla.org> (module owner) a=mkanat
2009-11-09Bug 525734: Allow WebService clients to authenticate using Bugzilla_login ↵mkanat%bugzilla.org2-8/+7
and Bugzilla_password Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat
2009-10-19Bug 399073: Remove the 'loginnetmask' parameter - Patch by Frédéric ↵lpsolit%gmail.com2-26/+14
Buclin <LpSolit@gmail.com> r/a=mkanat
2009-10-09Bug 514913: Eliminate ssl="authenticated sessions"mkanat%bugzilla.org2-16/+3
Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat
2009-04-17Bug 488467: Verify and Login auth methods were being called in a random ↵mkanat%bugzilla.org2-2/+2
order, causing sudo sessions to frequently not need the user to re-enter their password. Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=LpSolit
2009-03-02Bug 121601: Have logout display index.cgi, not just a message on relogin.cgi.mkanat%bugzilla.org1-0/+1
Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=LpSolit