From 90a618266ecb83f138cd5d0a3ff5bf26012625e9 Mon Sep 17 00:00:00 2001 From: Byron Jones Date: Tue, 25 Aug 2015 13:37:20 +0800 Subject: Bug 1197699 - always store the ip address in the logincookies table --- Bugzilla/Auth/Login/Cookie.pm | 2 +- Bugzilla/Auth/Persist/Cookie.pm | 18 +++++++----------- 2 files changed, 8 insertions(+), 12 deletions(-) (limited to 'Bugzilla/Auth') diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm index 46024bca4..738d26b21 100644 --- a/Bugzilla/Auth/Login/Cookie.pm +++ b/Bugzilla/Auth/Login/Cookie.pm @@ -107,7 +107,7 @@ sub get_login_info { FROM logincookies WHERE cookie = ? AND userid = ? - AND (ipaddr = ? OR ipaddr IS NULL)', + AND (restrict_ipaddr = 0 OR ipaddr = ?)', undef, ($login_cookie, $user_id, $ip_addr)); # If the cookie is valid, return a valid username. diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm index a064a231a..4adb00f96 100644 --- a/Bugzilla/Auth/Persist/Cookie.pm +++ b/Bugzilla/Auth/Persist/Cookie.pm @@ -50,22 +50,18 @@ sub persist_login { my $cgi = Bugzilla->cgi; my $input_params = Bugzilla->input_params; - my $ip_addr; - if ($input_params->{'Bugzilla_restrictlogin'}) { - $ip_addr = remote_ip(); - # The IP address is valid, at least for comparing with itself in a - # subsequent login - trick_taint($ip_addr); - } - $dbh->bz_start_transaction(); my $login_cookie = Bugzilla::Token::GenerateUniqueToken('logincookies', 'cookie'); - $dbh->do("INSERT INTO logincookies (cookie, userid, ipaddr, lastused) - VALUES (?, ?, ?, NOW())", - undef, $login_cookie, $user->id, $ip_addr); + my $ip_addr = remote_ip(); + trick_taint($ip_addr); + my $restrict = $input_params->{Bugzilla_restrictlogin} ? 1 : 0; + + $dbh->do("INSERT INTO logincookies (cookie, userid, ipaddr, lastused, restrict_ipaddr) + VALUES (?, ?, ?, NOW(), ?)", + undef, $login_cookie, $user->id, $ip_addr, $restrict); # Issuing a new cookie is a good time to clean up the old # cookies. -- cgit v1.2.3-24-g4f1b