From e16ca48833e9dd774a61eaab7ca32c44ce6a4276 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Tue, 3 Jan 2006 22:44:53 +0000
Subject: Bug 119524: SECURITY: predictable sessionid (Use a token instead of
 logincookie) - Patch by Olav Vitters <bugzilla-mozilla@bkor.dhs.org> r=mkanat
 a=justdave

---
 Bugzilla/Auth/Login/WWW/CGI.pm | 10 ++++++----
 Bugzilla/DB/Schema.pm          |  2 +-
 Bugzilla/Token.pm              |  6 +++++-
 checksetup.pl                  |  6 ++++++
 4 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/Bugzilla/Auth/Login/WWW/CGI.pm b/Bugzilla/Auth/Login/WWW/CGI.pm
index 22b2bf1fb..17a9cfce6 100644
--- a/Bugzilla/Auth/Login/WWW/CGI.pm
+++ b/Bugzilla/Auth/Login/WWW/CGI.pm
@@ -35,6 +35,7 @@ use Bugzilla::Config;
 use Bugzilla::Constants;
 use Bugzilla::Error;
 use Bugzilla::Util;
+use Bugzilla::Token;
 
 sub login {
     my ($class, $type) = @_;
@@ -70,11 +71,12 @@ sub login {
         # subsequent login
         trick_taint($ipaddr);
 
-        $dbh->do("INSERT INTO logincookies (userid, ipaddr, lastused)
-                 VALUES (?, ?, NOW())",
+        my $logincookie = Bugzilla::Token::GenerateUniqueToken('logincookies', 'cookie');
+
+        $dbh->do("INSERT INTO logincookies (cookie, userid, ipaddr, lastused)
+                 VALUES (?, ?, ?, NOW())",
                  undef,
-                 $userid, $ipaddr);
-        my $logincookie = $dbh->bz_last_key('logincookies', 'cookie');
+                 $logincookie, $userid, $ipaddr);
 
         # Remember cookie only if admin has told so
         # or admin didn't forbid it and user told to remember.
diff --git a/Bugzilla/DB/Schema.pm b/Bugzilla/DB/Schema.pm
index 389462263..63b19578d 100644
--- a/Bugzilla/DB/Schema.pm
+++ b/Bugzilla/DB/Schema.pm
@@ -678,7 +678,7 @@ use constant ABSTRACT_SCHEMA => {
 
     logincookies => {
         FIELDS => [
-            cookie   => {TYPE => 'MEDIUMSERIAL', NOTNULL => 1,
+            cookie   => {TYPE => 'varchar(16)', NOTNULL => 1,
                          PRIMARYKEY => 1},
             userid   => {TYPE => 'INT3', NOTNULL => 1},
             ipaddr   => {TYPE => 'varchar(40)', NOTNULL => 1},
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 42dca47d6..dfc7be418 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -155,12 +155,16 @@ sub GenerateUniqueToken {
     # the token in the "tokens" table.  Gives up if it can't come up
     # with a token after about one hundred tries.
 
+    my ($table, $column) = @_;
+    
     my $token;
     my $duplicate = 1;
     my $tries = 0;
+    $table ||= "tokens";
+    $column ||= "token";
 
     my $dbh = Bugzilla->dbh;
-    my $sth = $dbh->prepare("SELECT userid FROM tokens WHERE token = ?");
+    my $sth = $dbh->prepare("SELECT userid FROM $table WHERE $column = ?");
 
     while ($duplicate) {
         ++$tries;
diff --git a/checksetup.pl b/checksetup.pl
index 7522d994c..e8528aee1 100755
--- a/checksetup.pl
+++ b/checksetup.pl
@@ -4233,6 +4233,12 @@ $dbh->bz_add_column('namedqueries', 'query_type',
 $dbh->bz_alter_column('groups', 'userregexp', 
                       {TYPE => 'TINYTEXT', NOTNULL => 1, DEFAULT => "''"});
 
+# 2005-09-26 - olav@bkor.dhs.org - Bug 119524
+# Convert logincookies into a varchar
+# this allows to store a random token instead of a guessable auto_increment
+$dbh->bz_alter_column('logincookies', 'cookie',
+                      {TYPE => 'varchar(16)', PRIMARYKEY => 1, NOTNULL => 1});
+
 
 # If you had to change the --TABLE-- definition in any way, then add your
 # differential change code *** A B O V E *** this comment.
-- 
cgit v1.2.3-24-g4f1b