From d9cbb0f0a62bba345ed26ac68364bb441f41d35d Mon Sep 17 00:00:00 2001 From: "mkanat%bugzilla.org" <> Date: Fri, 12 May 2006 09:40:56 +0000 Subject: Bug 300410: Bugzilla::Auth needs to be restructured to not require a BEGIN block Patch By Max Kanat-Alexander r=LpSolit, a=myk --- Bugzilla/Auth/Login/Cookie.pm | 83 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 Bugzilla/Auth/Login/Cookie.pm (limited to 'Bugzilla/Auth/Login/Cookie.pm') diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm new file mode 100644 index 000000000..e4cc0daac --- /dev/null +++ b/Bugzilla/Auth/Login/Cookie.pm @@ -0,0 +1,83 @@ +# -*- Mode: perl; indent-tabs-mode: nil -*- +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Bugzilla Bug Tracking System. +# +# Contributor(s): Bradley Baetz +# Max Kanat-Alexander + +package Bugzilla::Auth::Login::Cookie; +use strict; +use base qw(Bugzilla::Auth::Login); + +use Bugzilla::Auth; +use Bugzilla::Constants; +use Bugzilla::User; +use Bugzilla::Util; + +use constant requires_persistence => 0; +use constant requires_verification => 0; +use constant can_login => 0; + +# Note that Cookie never consults the Verifier, it always assumes +# it has a valid DB account or it fails. +sub get_login_info { + my ($self) = @_; + my $cgi = Bugzilla->cgi; + my $dbh = Bugzilla->dbh; + + my $ip_addr = $cgi->remote_addr(); + my $net_addr = Bugzilla::Auth::get_netaddr($ip_addr); + my $login_cookie = $cgi->cookie("Bugzilla_logincookie"); + my $user_id = $cgi->cookie("Bugzilla_login"); + + if ($login_cookie && $user_id) { + # Anything goes for these params - they're just strings which + # we're going to verify against the db + trick_taint($ip_addr); + trick_taint($login_cookie); + detaint_natural($user_id); + + my $query = "SELECT userid + FROM logincookies + WHERE logincookies.cookie = ? + AND logincookies.userid = ? + AND (logincookies.ipaddr = ?"; + + # If we have a network block that's allowed to use this cookie, + # as opposed to just a single IP. + my @params = ($login_cookie, $user_id, $ip_addr); + if (defined $net_addr) { + trick_taint($net_addr); + $query .= " OR logincookies.ipaddr = ?"; + push(@params, $net_addr); + } + $query .= ")"; + + # If the cookie is valid, return a valid username. + if ($dbh->selectrow_array($query, undef, @params)) { + # If we logged in successfully, then update the lastused + # time on the login cookie + $dbh->do("UPDATE logincookies SET lastused = NOW() + WHERE cookie = ?", undef, $login_cookie); + return { user_id => $user_id }; + } + } + + # Either the he cookie is invalid, or we got no cookie. We don't want + # to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to + # actually throw an error when it gets a bad cookie. It should just + # look like there was no cokie to begin with. + return { failure => AUTH_NODATA }; +} + +1; -- cgit v1.2.3-24-g4f1b