Skip to content

bugzilla
bugzilla
Commit e16ca488 authored by lpsolit%gmail.com's avatar lpsolit%gmail.com
Browse files
Options

Bug 119524: SECURITY: predictable sessionid (Use a token instead of logincookie)…

Bug 119524: SECURITY: predictable sessionid (Use a token instead of logincookie) - Patch by Olav Vitters <bugzilla-mozilla@bkor.dhs.org> r=mkanat a=justdave
parent 093f6970
Hide whitespace changes
Inline Side-by-side
Showing with 18 additions and 6 deletions
Bugzilla/Auth/Login/WWW/CGI.pm
View file @ e16ca488
...@@ -35,6 +35,7 @@ use Bugzilla::Config; ...@@ -35,6 +35,7 @@ use Bugzilla::Config;
use Bugzilla::Constants; use Bugzilla::Constants;
use Bugzilla::Error; use Bugzilla::Error;
use Bugzilla::Util; use Bugzilla::Util;
use Bugzilla::Token;
sub login { sub login {
my ($class, $type) = @_; my ($class, $type) = @_;
...@@ -70,11 +71,12 @@ sub login { ...@@ -70,11 +71,12 @@ sub login {
# subsequent login # subsequent login
trick_taint($ipaddr); trick_taint($ipaddr);
$dbh->do("INSERT INTO logincookies (userid, ipaddr, lastused) my $logincookie = Bugzilla::Token::GenerateUniqueToken('logincookies', 'cookie');
VALUES (?, ?, NOW())",
$dbh->do("INSERT INTO logincookies (cookie, userid, ipaddr, lastused)
VALUES (?, ?, ?, NOW())",
undef, undef,
$userid, $ipaddr); $logincookie, $userid, $ipaddr);
my $logincookie = $dbh->bz_last_key('logincookies', 'cookie');
# Remember cookie only if admin has told so # Remember cookie only if admin has told so
# or admin didn't forbid it and user told to remember. # or admin didn't forbid it and user told to remember.
......
Bugzilla/DB/Schema.pm
View file @ e16ca488
...@@ -678,7 +678,7 @@ use constant ABSTRACT_SCHEMA => { ...@@ -678,7 +678,7 @@ use constant ABSTRACT_SCHEMA => {
logincookies => { logincookies => {
FIELDS => [ FIELDS => [
cookie => {TYPE => 'MEDIUMSERIAL', NOTNULL => 1, cookie => {TYPE => 'varchar(16)', NOTNULL => 1,
PRIMARYKEY => 1}, PRIMARYKEY => 1},
userid => {TYPE => 'INT3', NOTNULL => 1}, userid => {TYPE => 'INT3', NOTNULL => 1},
ipaddr => {TYPE => 'varchar(40)', NOTNULL => 1}, ipaddr => {TYPE => 'varchar(40)', NOTNULL => 1},
......
Bugzilla/Token.pm
View file @ e16ca488
...@@ -155,12 +155,16 @@ sub GenerateUniqueToken { ...@@ -155,12 +155,16 @@ sub GenerateUniqueToken {
# the token in the "tokens" table. Gives up if it can't come up # the token in the "tokens" table. Gives up if it can't come up
# with a token after about one hundred tries. # with a token after about one hundred tries.
my ($table, $column) = @_;
my $token; my $token;
my $duplicate = 1; my $duplicate = 1;
my $tries = 0; my $tries = 0;
$table ||= "tokens";
$column ||= "token";
my $dbh = Bugzilla->dbh; my $dbh = Bugzilla->dbh;
my $sth = $dbh->prepare("SELECT userid FROM tokens WHERE token = ?"); my $sth = $dbh->prepare("SELECT userid FROM $table WHERE $column = ?");
while ($duplicate) { while ($duplicate) {
++$tries; ++$tries;
......
checksetup.pl
View file @ e16ca488
...@@ -4233,6 +4233,12 @@ $dbh->bz_add_column('namedqueries', 'query_type', ...@@ -4233,6 +4233,12 @@ $dbh->bz_add_column('namedqueries', 'query_type',
$dbh->bz_alter_column('groups', 'userregexp', $dbh->bz_alter_column('groups', 'userregexp',
{TYPE => 'TINYTEXT', NOTNULL => 1, DEFAULT => "''"}); {TYPE => 'TINYTEXT', NOTNULL => 1, DEFAULT => "''"});
# 2005-09-26 - olav@bkor.dhs.org - Bug 119524
# Convert logincookies into a varchar
# this allows to store a random token instead of a guessable auto_increment
$dbh->bz_alter_column('logincookies', 'cookie',
{TYPE => 'varchar(16)', PRIMARYKEY => 1, NOTNULL => 1});
# If you had to change the --TABLE-- definition in any way, then add your # If you had to change the --TABLE-- definition in any way, then add your
# differential change code *** A B O V E *** this comment. # differential change code *** A B O V E *** this comment.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment