Commit 987c342a authored by Per Cederqvist's avatar Per Cederqvist
Browse files

Imported Bugzilla 2.19.3.

parent c659c791
......@@ -241,7 +241,7 @@ or should be something which is globally required by a large ammount of code
=head1 METHODS
Note that all C<Bugzilla> functionailty is method based; use C<Bugzilla->dbh>
Note that all C<Bugzilla> functionality is method based; use C<Bugzilla-E<gt>dbh>
rather than C<Bugzilla::dbh>. Nothing cares about this now, but don't rely on
that.
......@@ -288,7 +288,7 @@ Bugzilla::User instance.
=item C<logout_request>
Essentially, causes calls to C<Bugzilla->user> to return C<undef>. This has the
Essentially, causes calls to C<Bugzilla-E<gt>user> to return C<undef>. This has the
effect of logging out a user for the current request only; cookies and
database sessions are left intact.
......
......@@ -33,6 +33,8 @@ package Bugzilla::Attachment;
# Use the Flag module to handle flags.
use Bugzilla::Flag;
use Bugzilla::Config qw(:locations);
use Bugzilla::User;
############################################################################
# Functions
......@@ -62,46 +64,46 @@ sub new {
sub query
{
# Retrieves and returns an array of attachment records for a given bug.
# This data should be given to attachment/list.atml in an
# This data should be given to attachment/list.html.tmpl in an
# "attachments" variable.
my ($bugid) = @_;
my $in_editbugs = &::UserInGroup("editbugs");
&::SendSQL("SELECT product_id
FROM bugs
WHERE bug_id = $bugid");
my $productid = &::FetchOneColumn();
my $caneditproduct = &::CanEditProductId($productid);
my $dbh = Bugzilla->dbh;
# Retrieve a list of attachments for this bug and write them into an array
# of hashes in which each hash represents a single attachment.
&::SendSQL("
SELECT attach_id, DATE_FORMAT(creation_ts, '%Y.%m.%d %H:%i'),
mimetype, description, ispatch, isobsolete, isprivate,
submitter_id, LENGTH(thedata)
FROM attachments WHERE bug_id = $bugid ORDER BY attach_id
");
my $list = $dbh->selectall_arrayref("SELECT attach_id, " .
$dbh->sql_date_format('creation_ts', '%Y.%m.%d %H:%i') .
", mimetype, description, ispatch,
isobsolete, isprivate, LENGTH(thedata)
FROM attachments
WHERE bug_id = ? ORDER BY attach_id",
undef, $bugid);
my @attachments = ();
while (&::MoreSQLData()) {
foreach my $row (@$list) {
my %a;
my $submitter_id;
($a{'attachid'}, $a{'date'}, $a{'contenttype'}, $a{'description'},
$a{'ispatch'}, $a{'isobsolete'}, $a{'isprivate'}, $submitter_id,
$a{'datasize'}) = &::FetchSQLData();
($a{'attachid'}, $a{'date'}, $a{'contenttype'},
$a{'description'}, $a{'ispatch'}, $a{'isobsolete'},
$a{'isprivate'}, $a{'datasize'}) = @$row;
# Retrieve a list of flags for this attachment.
$a{'flags'} = Bugzilla::Flag::match({ 'attach_id' => $a{'attachid'},
'is_active' => 1 });
# We will display the edit link if the user can edit the attachment;
# ie the are the submitter, or they have canedit.
# Also show the link if the user is not logged in - in that cae,
# They'll be prompted later
$a{'canedit'} = ($::userid == 0 || (($submitter_id == $::userid ||
$in_editbugs) && $caneditproduct));
# A zero size indicates that the attachment is stored locally.
if ($a{'datasize'} == 0) {
my $attachid = $a{'attachid'};
my $hash = ($attachid % 100) + 100;
$hash =~ s/.*(\d\d)$/group.$1/;
if (open(AH, "$attachdir/$hash/attachment.$attachid")) {
$a{'datasize'} = (stat(AH))[7];
close(AH);
}
}
push @attachments, \%a;
}
return \@attachments;
}
......
......@@ -23,6 +23,8 @@
package Bugzilla::Auth;
use strict;
use base qw(Exporter);
@Bugzilla::Auth::EXPORT = qw(bz_crypt);
use Bugzilla::Config;
use Bugzilla::Constants;
......@@ -42,6 +44,31 @@ BEGIN {
}
}
sub bz_crypt ($) {
my ($password) = @_;
# The list of characters that can appear in a salt. Salts and hashes
# are both encoded as a sequence of characters from a set containing
# 64 characters, each one of which represents 6 bits of the salt/hash.
# The encoding is similar to BASE64, the difference being that the
# BASE64 plus sign (+) is replaced with a forward slash (/).
my @saltchars = (0..9, 'A'..'Z', 'a'..'z', '.', '/');
# Generate the salt. We use an 8 character (48 bit) salt for maximum
# security on systems whose crypt uses MD5. Systems with older
# versions of crypt will just use the first two characters of the salt.
my $salt = '';
for ( my $i=0 ; $i < 8 ; ++$i ) {
$salt .= $saltchars[rand(64)];
}
# Crypt the password.
my $cryptedpassword = crypt($password, $salt);
# Return the crypted password.
return $cryptedpassword;
}
# PRIVATE
# A number of features, like password change requests, require the DB
......@@ -128,6 +155,11 @@ __END__
Bugzilla::Auth - Authentication handling for Bugzilla users
=head1 SYNOPSIS
# Class Functions
$crypted = bz_crypt($password);
=head1 DESCRIPTION
Handles authentication for Bugzilla users.
......@@ -147,6 +179,23 @@ authentication or login modules.
=over 4
=item C<bz_crypt($password)>
Takes a string and returns a C<crypt>ed value for it, using a random salt.
Please always use this function instead of the built-in perl "crypt"
when initially encrypting a password.
=begin undocumented
Random salts are generated because the alternative is usually
to use the first two characters of the password itself, and since
the salt appears in plaintext at the beginning of the encrypted
password string this has the effect of revealing the first two
characters of the password to anyone who views the encrypted version.
=end undocumented
=item C<Bugzilla::Auth::get_netaddr($ipaddr)>
Given an ip address, this returns the associated network address, using
......
/README/1.2/Thu Jul 29 02:45:38 2004//TBUGZILLA-2_19_2
/README/1.2/Thu Jul 29 02:45:38 2004//TBUGZILLA-2_19_3
D/Login////
D/Verify////
NBUGZILLA-2_19_2
NBUGZILLA-2_19_3
/WWW.pm/1.4/Wed Aug 11 13:53:44 2004//TBUGZILLA-2_19_2
/WWW.pm/1.6/Sat Mar 12 21:51:15 2005//TBUGZILLA-2_19_3
D/WWW////
NBUGZILLA-2_19_2
NBUGZILLA-2_19_3
......@@ -51,6 +51,7 @@ sub login {
# (double cookies, odd compat code settings, etc)
return $user if $user->id;
$type = LOGIN_REQUIRED if Bugzilla->cgi->param('GoAheadAndLogIn');
$type = LOGIN_NORMAL unless defined $type;
# Log in using whatever methods are defined in user_info_class.
......@@ -70,6 +71,11 @@ sub login {
if ($userid) {
$user = new Bugzilla::User($userid);
# Redirect to SSL if required
if (Param('sslbase') ne '' and Param('ssl') ne 'never') {
Bugzilla->cgi->require_https(Param('sslbase'));
}
$user->set_flags('can_logout' => $class->can_logout);
# Compat stuff
......
......@@ -45,10 +45,13 @@ sub login {
}
my $cgi = Bugzilla->cgi;
my $dbh = Bugzilla->dbh;
# First, try the actual login method against form variables
my $username = $cgi->param("Bugzilla_login");
my $passwd = $cgi->param("Bugzilla_password");
$cgi->delete('Bugzilla_login', 'Bugzilla_password');
my $authmethod = Param("user_verify_class");
my ($authres, $userid, $extra, $info) =
......@@ -67,12 +70,11 @@ sub login {
# subsequent login
trick_taint($ipaddr);
my $dbh = Bugzilla->dbh;
$dbh->do("INSERT INTO logincookies (userid, ipaddr, lastused)
VALUES (?, ?, NOW())",
undef,
$userid, $ipaddr);
my $logincookie = $dbh->selectrow_array("SELECT LAST_INSERT_ID()");
my $logincookie = $dbh->bz_last_key('logincookies', 'cookie');
# Remember cookie only if admin has told so
# or admin didn't forbid it and user told to remember.
......@@ -135,6 +137,12 @@ sub login {
# No login details were given, but we require a login if the
# page does
if ($authres == AUTH_NODATA && $type == LOGIN_REQUIRED) {
# Redirect to SSL if required
if (Param('sslbase') ne '' and Param('ssl') ne 'never') {
$cgi->require_https(Param('sslbase'));
}
# Throw up the login page
print Bugzilla->cgi->header();
......@@ -142,8 +150,6 @@ sub login {
my $template = Bugzilla->template;
$template->process("account/auth/login.html.tmpl",
{ 'target' => $cgi->url(-relative=>1),
'form' => \%::FORM,
'mform' => \%::MFORM,
'caneditaccount' => Bugzilla::Auth->can_edit('new'),
'has_db' => Bugzilla::Auth->has_db,
}
......@@ -153,8 +159,9 @@ sub login {
# This seems like as good as time as any to get rid of old
# crufty junk in the logincookies table. Get rid of any entry
# that hasn't been used in a month.
Bugzilla->dbh->do("DELETE FROM logincookies " .
"WHERE TO_DAYS(NOW()) - TO_DAYS(lastused) > 30");
$dbh->do("DELETE FROM logincookies WHERE " .
$dbh->sql_to_days('NOW()') . " - " .
$dbh->sql_to_days('lastused') . " > 30");
exit;
}
......@@ -177,7 +184,7 @@ sub login {
# If we get here, then we've run out of options, which shouldn't happen
ThrowCodeError("authres_unhandled", { authres => $authres,
type => $type, });
type => $type });
}
# This auth style allows the user to log out.
......
/Cookie.pm/1.2/Wed Sep 8 23:29:08 2004//TBUGZILLA-2_19_2
/Cookie.pm/1.3/Tue Mar 22 22:41:07 2005//TBUGZILLA-2_19_3
D
......@@ -57,18 +57,16 @@ sub authenticate {
" logincookies.userid=profiles.userid AND " .
" logincookies.userid=? AND " .
" (logincookies.ipaddr=?";
my @params = ($login_cookie, $login, $ipaddr);
if (defined $netaddr) {
trick_taint($netaddr);
$query .= " OR logincookies.ipaddr=?";
push(@params, $netaddr);
}
$query .= ")";
my $dbh = Bugzilla->dbh;
my ($userid, $disabledtext) = $dbh->selectrow_array($query, undef,
$login_cookie,
$login,
$ipaddr,
$netaddr);
my ($userid, $disabledtext) = $dbh->selectrow_array($query, undef, @params);
return (AUTH_DISABLED, $userid, $disabledtext)
if ($disabledtext);
......
/CGI.pm/1.4/Wed Oct 20 20:58:45 2004//TBUGZILLA-2_19_2
/Env.pm/1.1/Wed Aug 11 13:53:45 2004//TBUGZILLA-2_19_2
/CGI.pm/1.10/Thu May 12 01:52:13 2005//TBUGZILLA-2_19_3
/Env.pm/1.3/Sat Apr 16 17:08:32 2005//TBUGZILLA-2_19_3
D/CGI////
......@@ -57,7 +57,7 @@ sub login {
trick_taint($env_id);
trick_taint($env_realname);
if ($env_id | $env_email) {
if ($env_id || $env_email) {
# Look in the DB for the extern_id
if ($env_id) {
......@@ -116,9 +116,7 @@ sub login {
"realname, disabledtext " .
") VALUES ( ?, ?, ?, '' )");
$sth->execute($env_email, '*', $env_realname);
$sth = $dbh->prepare("SELECT last_insert_id()");
$sth->execute();
$matched_userid = $sth->fetch->[0];
$matched_userid = $dbh->bz_last_key('profiles', 'userid');
}
}
}
......
/DB.pm/1.3/Tue Jul 20 22:41:21 2004//TBUGZILLA-2_19_2
/LDAP.pm/1.3/Tue Jul 20 22:41:21 2004//TBUGZILLA-2_19_2
/DB.pm/1.4/Mon Jan 31 19:26:01 2005//TBUGZILLA-2_19_3
/LDAP.pm/1.5/Wed Feb 9 06:42:43 2005//TBUGZILLA-2_19_3
D
NBUGZILLA-2_19_2
NBUGZILLA-2_19_3
......@@ -111,7 +111,7 @@ sub check_password {
sub change_password {
my ($class, $userid, $password) = @_;
my $dbh = Bugzilla->dbh;
my $cryptpassword = Crypt($password);
my $cryptpassword = bz_crypt($password);
$dbh->do("UPDATE profiles SET cryptpassword = ? WHERE userid = ?",
undef, $cryptpassword, $userid);
}
......
......@@ -33,6 +33,7 @@ use strict;
use Bugzilla::Config;
use Bugzilla::Constants;
use Bugzilla::User;
use Net::LDAP;
......@@ -149,7 +150,7 @@ sub authenticate {
if($userRealName eq "") {
$userRealName = $user_entry->get_value("cn");
}
&::InsertNewUser($username, $userRealName);
insert_new_user($username, $userRealName);
($userid, $disabledtext) = $dbh->selectrow_array($sth,
undef,
......
This diff is collapsed.
This diff is collapsed.
......@@ -52,6 +52,11 @@ sub new {
# Make sure that we don't send any charset headers
$self->charset('');
# Redirect to SSL if required
if (Param('sslbase') ne '' and Param('ssl') eq 'always') {
$self->require_https(Param('sslbase'));
}
# Check for errors
# All of the Bugzilla code wants to do this, so do it here instead of
# in each script
......@@ -174,6 +179,10 @@ sub send_cookie {
# Add the default path in
unshift(@_, '-path' => Param('cookiepath'));
if (Param('cookiedomain'))
{
unshift(@_, '-domain' => Param('cookiedomain'));
}
# Use CGI::Cookie directly, because CGI.pm's |cookie| method gives the
# current value if there isn't a -value attribute, which happens when
......@@ -185,6 +194,21 @@ sub send_cookie {
return;
}
# Redirect to https if required
sub require_https {
my $self = shift;
if ($self->protocol ne 'https') {
my $url = shift;
if (defined $url) {
$url .= $self->url('-path_info' => 1, '-query' => 1, '-relative' => 1);
} else {
$url = $self->self_url;
$url =~ s/^http:/https:/i;
}
print $self->redirect(-location => $url);
exit;
}
}
1;
......@@ -238,6 +262,14 @@ Bugzilla code (instead of C<cookie> or the C<-cookie> argument to C<header>),
so that under mod_perl the headers can be sent correctly, using C<print> or
the mod_perl APIs as appropriate.
=item C<require_https($baseurl)>
This routine checks if the current page is being served over https, and
redirects to the https protocol if required, retaining QUERY_STRING.
It takes an option argument which will be used as the base URL. If $baseurl
is not provided, the current URL is used.
=back
=head1 SEE ALSO
......
/.cvsignore/1.1/Mon Aug 26 22:24:55 2002//TBUGZILLA-2_19_2
/Attachment.pm/1.17/Tue Jul 6 07:08:02 2004//TBUGZILLA-2_19_2
/Auth.pm/1.7/Tue Jul 20 22:41:18 2004//TBUGZILLA-2_19_2
/Bug.pm/1.47/Fri Aug 20 21:49:17 2004//TBUGZILLA-2_19_2
/BugMail.pm/1.19/Fri Jan 7 20:56:01 2005//TBUGZILLA-2_19_2
/CGI.pm/1.13/Wed Jan 12 17:06:10 2005//TBUGZILLA-2_19_2
/Chart.pm/1.4/Sun Aug 29 21:29:34 2004//TBUGZILLA-2_19_2
/Config.pm/1.29/Sat Jan 15 06:59:42 2005//TBUGZILLA-2_19_2
/Constants.pm/1.13/Fri Jan 7 20:56:01 2005//TBUGZILLA-2_19_2
/DB.pm/1.14/Mon Dec 6 17:16:33 2004//TBUGZILLA-2_19_2
/Error.pm/1.9/Mon Jan 3 20:54:57 2005//TBUGZILLA-2_19_2
/Flag.pm/1.27/Sat Jan 8 18:33:48 2005//TBUGZILLA-2_19_2
/FlagType.pm/1.10/Tue Nov 23 22:41:43 2004//TBUGZILLA-2_19_2
/RelationSet.pm/1.10/Thu Mar 18 03:57:05 2004//TBUGZILLA-2_19_2
/Search.pm/1.72/Fri Dec 31 08:00:51 2004//TBUGZILLA-2_19_2
/Series.pm/1.6/Sun Aug 29 21:29:34 2004//TBUGZILLA-2_19_2
/Template.pm/1.18/Sat Jul 10 14:51:23 2004//TBUGZILLA-2_19_2
/Token.pm/1.24/Sat Jan 1 13:44:16 2005//TBUGZILLA-2_19_2
/User.pm/1.32/Fri Jan 7 20:56:01 2005//TBUGZILLA-2_19_2
/Util.pm/1.14/Tue Jan 11 17:15:43 2005//TBUGZILLA-2_19_2
/.cvsignore/1.1/Mon Aug 26 22:24:55 2002//TBUGZILLA-2_19_3
/Attachment.pm/1.21/Thu Apr 28 02:14:26 2005//TBUGZILLA-2_19_3
/Auth.pm/1.9/Mon Jan 31 20:13:55 2005//TBUGZILLA-2_19_3
/Bug.pm/1.76/Tue May 3 18:44:53 2005//TBUGZILLA-2_19_3
/BugMail.pm/1.39/Mon Apr 4 21:09:17 2005//TBUGZILLA-2_19_3
/CGI.pm/1.15/Sun Jan 16 20:43:22 2005//TBUGZILLA-2_19_3
/Chart.pm/1.8/Mon Apr 11 22:39:11 2005//TBUGZILLA-2_19_3
/Config.pm/1.40/Thu May 12 02:51:04 2005//TBUGZILLA-2_19_3
/Constants.pm/1.22/Tue Mar 29 21:42:57 2005//TBUGZILLA-2_19_3
/DB.pm/1.53/Sat Apr 23 02:11:51 2005//TBUGZILLA-2_19_3
/Error.pm/1.13/Tue Mar 22 19:22:40 2005//TBUGZILLA-2_19_3
/Flag.pm/1.38/Fri Apr 22 02:17:14 2005//TBUGZILLA-2_19_3
/FlagType.pm/1.16/Thu May 5 19:20:44 2005//TBUGZILLA-2_19_3
/Group.pm/1.1/Fri Feb 18 22:42:07 2005//TBUGZILLA-2_19_3
/Search.pm/1.96/Tue May 10 21:05:19 2005//TBUGZILLA-2_19_3
/Series.pm/1.9/Wed Mar 16 00:27:15 2005//TBUGZILLA-2_19_3
/Template.pm/1.25/Mon Apr 4 22:29:09 2005//TBUGZILLA-2_19_3
/Token.pm/1.29/Thu Mar 3 07:19:09 2005//TBUGZILLA-2_19_3
/User.pm/1.54/Sun Apr 10 17:49:48 2005//TBUGZILLA-2_19_3
/Util.pm/1.26/Tue May 10 20:30:12 2005//TBUGZILLA-2_19_3
D/Auth////
D/DB////
D/Template////
D/User////
NBUGZILLA-2_19_2
NBUGZILLA-2_19_3
......@@ -115,16 +115,11 @@ sub add {
my $self = shift;
my @series_ids = @_;
# If we are going from < 2 to >= 2 series, add the Grand Total line.
if (!$self->{'gt'}) {
my $current_size = scalar($self->getSeriesIDs());
if ($current_size < 2 &&
$current_size + scalar(@series_ids) >= 2)
{
$self->{'gt'} = 1;
}
}
# Get the current size of the series; required for adding Grand Total later
my $current_size = scalar($self->getSeriesIDs());
# Count the number of added series
my $added = 0;
# Create new Series and push them on to the list of lines.
# Note that new lines have no label; the display template is responsible
# for inventing something sensible.
......@@ -133,6 +128,16 @@ sub add {
if ($series) {
push(@{$self->{'lines'}}, [$series]);
push(@{$self->{'labels'}}, "");
$added++;
}
}
# If we are going from < 2 to >= 2 series, add the Grand Total line.
if (!$self->{'gt'}) {
if ($current_size < 2 &&
$current_size + $added >= 2)
{
$self->{'gt'} = 1;
}
}
}
......@@ -229,9 +234,9 @@ sub readData {
}
# Prepare the query which retrieves the data for each series
my $query = "SELECT TO_DAYS(series_date) - " .
" TO_DAYS(FROM_UNIXTIME($datefrom)), " .
"series_value FROM series_data " .
my $query = "SELECT " . $dbh->sql_to_days('series_date') . " - " .
$dbh->sql_to_days("FROM_UNIXTIME($datefrom)") .
", series_value FROM series_data " .
"WHERE series_id = ? " .
"AND series_date >= FROM_UNIXTIME($datefrom)";
if ($dateto) {
......@@ -320,7 +325,8 @@ sub getVisibleSeries {
" AND cgm.group_id NOT IN($grouplist) " .
"WHERE creator = " . Bugzilla->user->id . " OR " .
" cgm.category_id IS NULL " .
"GROUP BY series_id");
$dbh->sql_group_by('series_id', 'cc1.name, cc2.name, ' .
'series.name'));
foreach my $series (@$serieses) {
my ($cat, $subcat, $name, $series_id) = @$series;
$cats{$cat}{$subcat}{$name} = $series_id;
......
......@@ -33,8 +33,6 @@ use strict;
use base qw(Exporter);
use Bugzilla::Util;
# Under mod_perl, get this from a .htaccess config variable,
# and/or default from the current 'real' dir
# At some stage after this, it may be possible for these dir locations
......@@ -45,16 +43,17 @@ use Bugzilla::Util;
# .pms elsewhere.
# $webdotdir must be in the webtree somewhere. Even if you use a local dot,
# we output images to there. Also, if $webdot dir is not relative to the
# bugzilla root directory, you'll need to change showdependancygraph.cgi to
# bugzilla root directory, you'll need to change showdependencygraph.cgi to
# set image_url to the correct location.
# The script should really generate these graphs directly...
# Note that if $libpath is changed, some stuff will break, notably dependancy
# Note that if $libpath is changed, some stuff will break, notably dependency
# graphs (since the path will be wrong in the HTML). This will be fixed at
# some point.
our $libpath = '.';
our $localconfig = "$libpath/localconfig";
our $datadir = "$libpath/data";
our $attachdir = "$datadir/attachments";
our $templatedir = "$libpath/template";
our $webdotdir = "$datadir/webdot";
......@@ -71,13 +70,14 @@ our $webdotdir = "$datadir/webdot";
%Bugzilla::Config::EXPORT_TAGS =
(
admin => [qw(GetParamList UpdateParams SetParam WriteParams)],
db => [qw($db_host $db_port $db_name $db_user $db_pass $db_sock)],
locations => [qw($libpath $localconfig $datadir $templatedir $webdotdir)],
db => [qw($db_driver $db_host $db_port $db_name $db_user $db_pass $db_sock)],
locations => [qw($libpath $localconfig $attachdir
$datadir $templatedir $webdotdir)],
);
Exporter::export_ok_tags('admin', 'db', 'locations');
# Bugzilla version
$Bugzilla::Config::VERSION = "2.19.2";
$Bugzilla::Config::VERSION = "2.19.3";
use Safe;