Commit 7587c6c4 authored by Dave Lawrence's avatar Dave Lawrence

Bug 906745 - In MySQL, tokens are not case-sensitive, reducing total entropy and…

Bug 906745 - In MySQL, tokens are not case-sensitive, reducing total entropy and allowing easier brute force r=LpSolit,a=glob
parent 305504a9
...@@ -258,13 +258,18 @@ sub Cancel { ...@@ -258,13 +258,18 @@ sub Cancel {
# Get information about the token being canceled. # Get information about the token being canceled.
trick_taint($token); trick_taint($token);
my ($issuedate, $tokentype, $eventdata, $userid) = my ($db_token, $issuedate, $tokentype, $eventdata, $userid) =
$dbh->selectrow_array('SELECT ' . $dbh->sql_date_format('issuedate') . ', $dbh->selectrow_array('SELECT token, ' . $dbh->sql_date_format('issuedate') . ',
tokentype, eventdata, userid tokentype, eventdata, userid
FROM tokens FROM tokens
WHERE token = ?', WHERE token = ?',
undef, $token); undef, $token);
# Some DBs such as MySQL are case-insensitive by default so we do
# a quick comparison to make sure the tokens are indeed the same.
(defined $db_token && $db_token eq $token)
|| ThrowCodeError("cancel_token_does_not_exist");
# If we are canceling the creation of a new user account, then there # If we are canceling the creation of a new user account, then there
# is no entry in the 'profiles' table. # is no entry in the 'profiles' table.
my $user = new Bugzilla::User($userid); my $user = new Bugzilla::User($userid);
...@@ -329,10 +334,17 @@ sub GetTokenData { ...@@ -329,10 +334,17 @@ sub GetTokenData {
$token = clean_text($token); $token = clean_text($token);
trick_taint($token); trick_taint($token);
return $dbh->selectrow_array( my @token_data = $dbh->selectrow_array(
"SELECT userid, " . $dbh->sql_date_format('issuedate') . ", eventdata, tokentype "SELECT token, userid, " . $dbh->sql_date_format('issuedate') . ", eventdata, tokentype
FROM tokens FROM tokens
WHERE token = ?", undef, $token); WHERE token = ?", undef, $token);
# Some DBs such as MySQL are case-insensitive by default so we do
# a quick comparison to make sure the tokens are indeed the same.
my $db_token = shift @token_data;
return undef if (!defined $db_token || $db_token ne $token);
return @token_data;
} }
# Deletes specified token # Deletes specified token
......
...@@ -352,6 +352,9 @@ ...@@ -352,6 +352,9 @@
[% ELSIF error == "token_generation_error" %] [% ELSIF error == "token_generation_error" %]
Something is seriously wrong with the token generation system. Something is seriously wrong with the token generation system.
[% ELSIF error == "cancel_token_does_not_exist" %]
The token to be cancelled does not exist.
[% ELSIF error == "template_error" %] [% ELSIF error == "template_error" %]
[% template_error_msg FILTER html %] [% template_error_msg FILTER html %]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment