Stop ever using perl's crypt() function; only use mysql's. (Using

both was causing corruption on about 1 in 40 passwords.)

Stop ever using perl's crypt() function; only use mysql's. (Using
ca876033 · terry%mozilla.org · e908456f · ca876033 · ca876033 · ca876033
Commit ca876033 authored Jan 18, 2000 by terry%mozilla.org
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 22 deletions

CGI.pl CGI.pl +4 -1

changepassword.cgi changepassword.cgi +6 -12

editusers.cgi editusers.cgi +1 -9

No files found.
--- a/CGI.pl
+++ b/CGI.pl
@@ -604,7 +604,10 @@ sub confirm_login {
            exit;
        }

-	my $enteredcryptpwd = crypt($enteredpwd, substr($realcryptpwd, 0, 2));
+        SendSQL("SELECT encrypt(" . SqlQuote($enteredpwd) . ", " .
+                SqlQuote(substr($realcryptpwd, 0, 2)) . ")");
+        my $enteredcryptpwd = FetchOneColumn();
+
        if ($realcryptpwd eq "" || $enteredcryptpwd ne $realcryptpwd) {
            print "Content-type: text/html\n\n";
 	    PutHeader("Login failed");

--- a/changepassword.cgi
+++ b/changepassword.cgi
@@ -102,11 +102,6 @@ The two passwords you entered did not match.  Please click <b>Back</b> and try a
 my $pwd = $::FORM{'pwd1'};


-sub x {
-    my $sc="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./";
-    return substr($sc, int (rand () * 100000) % (length ($sc) + 1), 1);
-}
-
 if ($pwd ne "") {
    if ($pwd !~ /^[a-zA-Z0-9-_]*$/ || length($pwd) < 3 || length($pwd) > 15) {
        print "<H1>Sorry; we're picky.</H1>
@@ -119,14 +114,13 @@ Please click <b>Back</b> and try again.\n";
    }
    
    
-# Generate a random salt.
-    
-    my $salt  = x() . x();
-    
-    my $encrypted = crypt($pwd, $salt);
-    
-    SendSQL("update profiles set password='$pwd',cryptpassword='$encrypted' where login_name=" .
+    my $qpwd = SqlQuote($pwd);
+    SendSQL("UPDATE profiles SET password=$qpwd,cryptpassword=encrypt($qpwd) 
+             WHERE login_name = " .
+            SqlQuote($::COOKIE{'Bugzilla_login'}));
+    SendSQL("SELECT cryptpassword FROM profiles WHERE login_name = " .
            SqlQuote($::COOKIE{'Bugzilla_login'}));
+    my $encrypted = FetchOneColumn();
    
    SendSQL("update logincookies set cryptpassword = '$encrypted' where cookie = $::COOKIE{'Bugzilla_logincookie'}");
 }

--- a/editusers.cgi
+++ b/editusers.cgi
@@ -277,21 +277,13 @@ if ($action eq 'new') {
    }
    

-    sub x {
-	my $sc="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./";
-	return substr($sc, int (rand () * 100000) % (length ($sc) + 1), 1);
-    }
-
-    my $salt = x() . x();
-    my $cryptpassword = crypt($password, $salt);
-
    # Add the new user
    SendSQL("INSERT INTO profiles ( " .
          "login_name, password, cryptpassword, realname, groupset" .
          " ) VALUES ( " .
          SqlQuote($user) . "," .
          SqlQuote($password) . "," .
-          SqlQuote($cryptpassword) . "," .
+          "encrypt(" . SqlQuote($password) . ")," .
          SqlQuote($realname) . "," .
          $bits . ")" );