Skip to content

bugzilla
bugzilla
Switch branch/tag
Find file
BlameHistoryPermalink
  • terry%netscape.com's avatar
    Changed the way password validation works. We now keep a · 968e9d7a
    terry%netscape.com authored 
    crypt'd version of the password in the database, and check against
that.  (This is silly, because we're also keeping the plaintext
version there, but I have plans...)  Stop passing the plaintext
password around as a cookie; instead, we have a cookie that references
a record in a new database table, logincookies.

IMPORTANT: if updating from an older version of Bugzilla, you must run
the following commands to keep things working:

 ./makelogincookiestable.sh
 echo "alter table profiles add column cryptpassword varchar(64);" | mysql bugs
 echo "update profiles set cryptpassword = encrypt(password,substring(rand(),3, 4));" | mysql bugs
    968e9d7a
CGI.tcl 11.8 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 
# -*- Mode: tcl; indent-tabs-mode: nil -*-
#
# The contents of this file are subject to the Mozilla Public License
# Version 1.0 (the "License"); you may not use this file except in
# compliance with the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
# 
# Software distributed under the License is distributed on an "AS IS"
# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
# License for the specific language governing rights and limitations
# under the License.
# 
# The Original Code is the Bugzilla Bug Tracking System.
# 
# The Initial Developer of the Original Code is Netscape Communications
# Corporation. Portions created by Netscape are Copyright (C) 1998
# Netscape Communications Corporation. All Rights Reserved.
# 
# Contributor(s): Terry Weissman <terry@mozilla.org>

source "globals.tcl"

proc url_decode {buf} {
  regsub -all {\\(.)} $buf {\1} buf ; regsub -all {\\} $buf {\\\\} buf ;
  regsub -all { }  $buf {\ } buf ; regsub -all {\+} $buf {\ } buf ;
  regsub -all {\$} $buf {\$} buf ; regsub -all \n   $buf {\n} buf ;
  regsub -all {;}  $buf {\;} buf ; regsub -all {\[} $buf {\[} buf ;
  regsub -all \" $buf \\\" buf ; regsub  ^\{ $buf \\\{ buf ;
  regsub -all -nocase {%([a-fA-F0-9][a-fA-F0-9])} $buf {[format %c 0x\1]} buf
  eval return \"$buf\"
}

proc url_quote {var} {
  regsub -all { } "$var" {%20} var
  regsub -all {=} "$var" {%3d} var
  regsub -all "\n" "$var" {%0a} var
  return $var
}

proc lookup { a key } {
  global $a
  set ref [format %s(%s) $a $key]
  if { [ info exists $ref] } {
    eval return \$$ref
  } else {
    return ""
  }
}

proc ProcessFormFields {buffer} {
    global FORM MFORM
    catch {unset FORM}
    catch {unset MFORM}
    set remaining $buffer
    while {![cequal $remaining ""]} {
        if {![regexp {^([^&]*)&(.*)$} $remaining foo item remaining]} {
            set item $remaining
            set remaining ""
        }
        if {![regexp {^([^=]*)=(.*)$} $item foo name value]} {
            set name $item
            set value ""
        }
        set value [url_decode $value]
        if {![cequal $value ""]} {
            append FORM($name) $value
            lappend MFORM($name) $value
        } else {
            set isnull($name) 1
        }
    }
    if {[info exists isnull]} {
        foreach name [array names isnull] {
            if {![info exists FORM($name)]} {
                set FORM($name) ""
                set MFORM($name) ""
            }
        }
    }
}

proc FormData { field } {
  global FORM
  return $FORM($field)
}
    
if { [info exists env(REQUEST_METHOD) ] } {
  if { $env(REQUEST_METHOD) == "GET" } { 
    set buffer [lookup env QUERY_STRING]
  } else { set buffer [ read stdin $env(CONTENT_LENGTH) ] }
  ProcessFormFields $buffer
}

proc html_quote { var } {
  regsub -all {&} "$var" {\&amp;} var
  regsub -all {<} "$var" {\&lt;} var
  regsub -all {>} "$var" {\&gt;} var
  return $var
}
proc value_quote { var } {
  regsub -all {&} "$var" {\&amp;} var
  regsub -all {"} "$var" {\&quot;} var
  regsub -all {<} "$var" {\&lt;} var
  regsub -all {>} "$var" {\&gt;} var
  return $var
}

proc value_unquote { var } {
    regsub -all {&quot;} $var "\"" var
    regsub -all {&lt;} $var "<" var
    regsub -all {&gt;} $var ">" var
    regsub -all {&amp;} $var {\&} var
    return $var
}
    
foreach pair [ split [lookup env HTTP_COOKIE] ";" ] {
  set pair [string trim $pair]
  set eq [string first = $pair ]
  if {$eq == -1} {
    set COOKIE($pair) ""
  } else {
    set COOKIE([string range $pair 0 [expr $eq - 1]]) [string range $pair [expr $eq + 1] end]
  }
}

proc navigation_header {} {
  global COOKIE FORM next_bug
  set buglist [lookup COOKIE BUGLIST]
  if { $buglist != "" } {
    set bugs [split $buglist :]
    set cur [ lsearch -exact $bugs $FORM(id) ]
    puts "<B>Bug List:</B> ([expr $cur + 1] of [llength $bugs])"
    puts "<A HREF=\"show_bug.cgi?id=[lindex $bugs 0]\">First</A>"
    puts "<A HREF=\"show_bug.cgi?id=[lindex $bugs [expr [ llength $bugs ] - 1]]\">Last</A>"
    if { $cur > 0 } {
      puts "<A HREF=\"show_bug.cgi?id=[lindex $bugs [expr $cur - 1]]\">Prev</A>"
    } else {
      puts "<I><FONT COLOR=\#777777>Prev</FONT></I>"
    }
    if { $cur < [expr [ llength $bugs ] - 1] } {
      set next_bug [lindex $bugs [expr $cur + 1]]
      puts "<A HREF=\"show_bug.cgi?id=$next_bug\">Next</A>"
    } else {
      puts "<I><FONT COLOR=\#777777>Next</FONT></I>"
    }
  }
  puts "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<A HREF=\"query.cgi\">Query page</A>"
  puts "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<A HREF=\"enter_bug.cgi\">Enter new bug</A>"
}

proc make_options { src default {isregexp 0} } {
    set last "" ; set popup "" ; set found 0
    foreach item $src {
        if {$item == "-blank-" || $item != $last} {
            if { $item == "-blank-" } { set item "" }
            set last $item
            if {$isregexp ? [regexp $default $item] : [cequal $default $item]} {
                append popup "<OPTION SELECTED VALUE=\"$item\">$item"
                set found 1
            } else {
                append popup "<OPTION VALUE=\"$item\">$item"
            }
        }
    }
    if {!$found && $default != ""} {
        append popup "<OPTION SELECTED>$default"
    }
    return $popup
}



proc PasswordForLogin {login} {
    SendSQL "select cryptpassword from profiles where login_name = '[SqlQuote $login]'"
    return [FetchSQLData]
}
    


proc confirm_login {{nexturl ""}} {
#    puts "Content-type: text/plain\n"
    global FORM COOKIE argv0 env
    ConnectToDatabase
    if { [info exists FORM(Bugzilla_login)] && 
         [info exists FORM(Bugzilla_password)] } {
        if {![regexp {^[^@, ]*@[^@, ]*\.[^@, ]*$} $FORM(Bugzilla_login)]} {
            puts "Content-type: text/html\n"
            puts "<H1>Invalid e-mail address entered.</H1>"
            puts "The e-mail address you entered"
            puts "(<b>$FORM(Bugzilla_login)</b>) didn't match our minimal"
            puts "syntax checking for a legal email address.  A legal address"
            puts "must contain exactly one '@', and at least one '.' after"
            puts "the @, and may not contain any commas or spaces."
            puts "<p>Please click <b>back</b> and try again."
            exit
        }
        set realcryptpwd [PasswordForLogin $FORM(Bugzilla_login)]
        set enteredpwd $FORM(Bugzilla_password);
        SendSQL "select encrypt('[SqlQuote $enteredpwd]','[crange $realcryptpwd 0 1]')";
        set enteredcryptpwd [lindex [FetchSQLData] 0]
        
        
        if {[info exists FORM(PleaseMailAPassword)]} {
            if {[cequal $realcryptpwd ""]} {
                set realpwd [InsertNewUser $FORM(Bugzilla_login)]
            } else {
                SendSQL "select password from profiles where login_name = '[SqlQuote $FORM(Bugzilla_login)]'"
                set realpwd [lindex [FetchSQLData] 0]
            }
            set template "From: bugzilla-daemon
To: %s
Subject: Your bugzilla password.

To use the wonders of bugzilla, you can use the following:

 E-mail address: %s
       Password: %s

 To change your password, go to:
 [Param urlbase]changepassword.cgi

 (Your bugzilla and CVS password, if any, are not currently synchronized.
 Top hackers are working around the clock to fix this, as you read this.)
"

            set msg [format $template $FORM(Bugzilla_login) \
                         $FORM(Bugzilla_login) $realpwd]
            
            exec /usr/lib/sendmail -t << $msg
            puts "Content-type: text/html\n"
            puts "<H1>Password has been emailed.</H1>"
            puts "The password for the e-mail address"
            puts "$FORM(Bugzilla_login) has been e-mailed to that address."
            puts "<p>When the e-mail arrives, you can click <b>Back</b>"
            puts "and enter your password in the form there."
            exit
        }
                
        if {[cequal $realcryptpwd ""] || ![cequal $enteredcryptpwd $realcryptpwd]} {
            puts "Content-type: text/html\n"
            puts "<H1>Login failed.</H1>"
            puts "The username or password you entered is not valid.  Please"
            puts "click <b>back</b> and try again."
            exit
        }
        set COOKIE(Bugzilla_login) $FORM(Bugzilla_login)
	SendSQL "insert into logincookies (userid,cryptpassword,hostname) values ([DBNameToIdAndCheck $FORM(Bugzilla_login)], '[SqlQuote $realcryptpwd]', '[SqlQuote $env(REMOTE_HOST)]')"
        SendSQL "select LAST_INSERT_ID()"
        set logincookie [FetchSQLData]
        
        


        set COOKIE(Bugzilla_logincookie) $logincookie
        puts "Set-Cookie: Bugzilla_login=$COOKIE(Bugzilla_login) ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT"
        puts "Set-Cookie: Bugzilla_logincookie=$COOKIE(Bugzilla_logincookie) ; path=/; expires=Sun, 30-Jun-2029 00:00:00 GMT"

        # This next one just cleans out any old bugzilla passwords that may
        # be sitting around in the cookie files, from the bad old days when
        # we actually stored the password there.
        puts "Set-Cookie: Bugzilla_password= ; path=/; expires=Sun, 30-Jun-80 00:00:00 GMT"

    }


    set loginok 0

    if { [info exists COOKIE(Bugzilla_login)] && [info exists COOKIE(Bugzilla_logincookie)] } {
        SendSQL "select profiles.login_name = '[SqlQuote $COOKIE(Bugzilla_login)]' and profiles.cryptpassword = logincookies.cryptpassword and logincookies.hostname = '[SqlQuote $env(REMOTE_HOST)]' from profiles,logincookies where logincookies.cookie = $COOKIE(Bugzilla_logincookie) and profiles.userid = logincookies.userid"
        set loginok [FetchSQLData]
    }

    if {$loginok != "1"} {
        puts "Content-type: text/html\n"
        puts "<H1>Please log in.</H1>"
        puts "I need a legitimate e-mail address and password to continue."
        if {[cequal $nexturl ""]} {
            regexp {[^/]*$} $argv0 nexturl
        }
        set method POST
        if {[info exists env(REQUEST_METHOD)]} {
            set method $env(REQUEST_METHOD)
        }
        puts "
<FORM action=$nexturl method=$method>
<table>
<tr>
<td align=right><b>E-mail address:</b></td>
<td><input size=35 name=Bugzilla_login></td>
</tr>
<tr>
<td align=right><b>Password:</b></td>
<td><input type=password size=35 name=Bugzilla_password></td>
</tr>
</table>
"
        foreach i [array names FORM] {
            if {[regexp {^Bugzilla_} $i]} {
                continue
            }
            puts "<input type=hidden name=$i value=\"[value_quote $FORM($i)]\">"
        }
        puts "
<input type=submit value=Login name=GoAheadAndLogIn><hr>
If you don't have a password, or have forgotten it, then please fill in the
e-mail address above and click
 here:<input type=submit value=\"E-mail me a password\"
name=PleaseMailAPassword>
</form>"

        # This seems like as good as time as any to get rid of old
        # crufty junk in the logincookies table.  Get rid of any entry
        # that hasn't been used in a month.
        SendSQL "delete from logincookies where to_days(now()) - to_days(lastused) > 30"

        
        exit
    }

    # Update the timestamp on our logincookie, so it'll keep on working.
    SendSQL "update logincookies set lastused = null where cookie = $COOKIE(Bugzilla_logincookie)"
}


proc PutHeader {title h1 {h2 ""}} {
    puts "<HTML><HEAD><TITLE>$title</TITLE></HEAD>";
    puts "<BODY   BGCOLOR=\"#FFFFFF\" TEXT=\"#000000\"";
    puts "LINK=\"#0000EE\" VLINK=\"#551A8B\" ALINK=\"#FF0000\">";

    puts [Param bannerhtml]

    puts "<TABLE BORDER=0 CELLPADDING=12 CELLSPACING=0 WIDTH=\"100%\">";
    puts " <TR>\n";
    puts "  <TD>\n";
    puts "   <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=2>\n";
    puts "    <TR><TD VALIGN=TOP ALIGN=CENTER NOWRAP>\n";
    puts "     <FONT SIZE=\"+3\"><B><NOBR>$h1</NOBR></B></FONT>\n";
    puts "    </TD></TR><TR><TD VALIGN=TOP ALIGN=CENTER>\n";
    puts "     <B>$h2</B>\n";
    puts "    </TD></TR>\n";
    puts "   </TABLE>\n";
    puts "  </TD>\n";
    puts "  <TD>\n";

    puts [Param blurbhtml]

    puts "</TD></TR></TABLE>\n";

}