Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
B
bugzilla
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Lysator
bugzilla
Commits
dcf6afc5
Commit
dcf6afc5
authored
Jul 11, 2014
by
Per Cederqvist
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Imported Bugzilla 4.4.3.
parent
3e31437c
Changes
153
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
153 changed files
with
1717 additions
and
1749 deletions
+1717
-1749
.bzr/README
.bzr/README
+1
-1
.bzr/checkout/dirstate
.bzr/checkout/dirstate
+0
-0
.gitignore
.gitignore
+32
-0
.gitrev
.gitrev
+1
-0
Bugzilla/Auth.pm
Bugzilla/Auth.pm
+18
-1
Bugzilla/Auth/Login/CGI.pm
Bugzilla/Auth/Login/CGI.pm
+37
-4
Bugzilla/Auth/Login/Cookie.pm
Bugzilla/Auth/Login/Cookie.pm
+57
-14
Bugzilla/Auth/Persist/Cookie.pm
Bugzilla/Auth/Persist/Cookie.pm
+28
-10
Bugzilla/Bug.pm
Bugzilla/Bug.pm
+33
-26
Bugzilla/CGI.pm
Bugzilla/CGI.pm
+13
-0
Bugzilla/Constants.pm
Bugzilla/Constants.pm
+1
-1
Bugzilla/Template.pm
Bugzilla/Template.pm
+16
-0
Bugzilla/Util.pm
Bugzilla/Util.pm
+18
-2
Bugzilla/WebService.pm
Bugzilla/WebService.pm
+13
-13
Bugzilla/WebService/Server/JSONRPC.pm
Bugzilla/WebService/Server/JSONRPC.pm
+5
-1
Bugzilla/WebService/Server/XMLRPC.pm
Bugzilla/WebService/Server/XMLRPC.pm
+6
-0
Bugzilla/WebService/User.pm
Bugzilla/WebService/User.pm
+57
-35
Bugzilla/WebService/Util.pm
Bugzilla/WebService/Util.pm
+23
-0
contrib/jb2bz.py
contrib/jb2bz.py
+91
-61
docs/bugzilla.ent
docs/bugzilla.ent
+2
-2
docs/bugzilla.ent.tmpl
docs/bugzilla.ent.tmpl
+2
-2
docs/en/html/Bugzilla-Guide.html
docs/en/html/Bugzilla-Guide.html
+410
-410
docs/en/html/Bugzilla-Guide.proc
docs/en/html/Bugzilla-Guide.proc
+0
-0
docs/en/html/about.html
docs/en/html/about.html
+1
-1
docs/en/html/administration.html
docs/en/html/administration.html
+1
-1
docs/en/html/api/Bugzilla.html
docs/en/html/api/Bugzilla.html
+1
-3
docs/en/html/api/Bugzilla/Auth.html
docs/en/html/api/Bugzilla/Auth.html
+7
-0
docs/en/html/api/Bugzilla/DB.html
docs/en/html/api/Bugzilla/DB.html
+45
-135
docs/en/html/api/Bugzilla/DB/Schema.html
docs/en/html/api/Bugzilla/DB/Schema.html
+4
-12
docs/en/html/api/Bugzilla/Field.html
docs/en/html/api/Bugzilla/Field.html
+18
-54
docs/en/html/api/Bugzilla/Hook.html
docs/en/html/api/Bugzilla/Hook.html
+18
-54
docs/en/html/api/Bugzilla/Install/CPAN.html
docs/en/html/api/Bugzilla/Install/CPAN.html
+1
-3
docs/en/html/api/Bugzilla/Install/Requirements.html
docs/en/html/api/Bugzilla/Install/Requirements.html
+7
-21
docs/en/html/api/Bugzilla/Install/Util.html
docs/en/html/api/Bugzilla/Install/Util.html
+9
-27
docs/en/html/api/Bugzilla/Object.html
docs/en/html/api/Bugzilla/Object.html
+2
-6
docs/en/html/api/Bugzilla/Product.html
docs/en/html/api/Bugzilla/Product.html
+1
-3
docs/en/html/api/Bugzilla/User.html
docs/en/html/api/Bugzilla/User.html
+2
-6
docs/en/html/api/Bugzilla/Util.html
docs/en/html/api/Bugzilla/Util.html
+9
-6
docs/en/html/api/Bugzilla/WebService.html
docs/en/html/api/Bugzilla/WebService.html
+18
-30
docs/en/html/api/Bugzilla/WebService/Bug.html
docs/en/html/api/Bugzilla/WebService/Bug.html
+81
-243
docs/en/html/api/Bugzilla/WebService/Bugzilla.html
docs/en/html/api/Bugzilla/WebService/Bugzilla.html
+8
-24
docs/en/html/api/Bugzilla/WebService/Product.html
docs/en/html/api/Bugzilla/WebService/Product.html
+6
-18
docs/en/html/api/Bugzilla/WebService/User.html
docs/en/html/api/Bugzilla/WebService/User.html
+49
-47
docs/en/html/api/Bugzilla/WebService/Util.html
docs/en/html/api/Bugzilla/WebService/Util.html
+7
-0
docs/en/html/api/index.html
docs/en/html/api/index.html
+2
-2
docs/en/html/attachments.html
docs/en/html/attachments.html
+9
-9
docs/en/html/bug_page.html
docs/en/html/bug_page.html
+3
-3
docs/en/html/bug_status_workflow.html
docs/en/html/bug_status_workflow.html
+1
-1
docs/en/html/bugreports.html
docs/en/html/bugreports.html
+4
-4
docs/en/html/classifications.html
docs/en/html/classifications.html
+1
-1
docs/en/html/cmdline-bugmail.html
docs/en/html/cmdline-bugmail.html
+1
-1
docs/en/html/cmdline.html
docs/en/html/cmdline.html
+2
-2
docs/en/html/components.html
docs/en/html/components.html
+1
-1
docs/en/html/configuration.html
docs/en/html/configuration.html
+40
-40
docs/en/html/conventions.html
docs/en/html/conventions.html
+1
-1
docs/en/html/copyright.html
docs/en/html/copyright.html
+1
-1
docs/en/html/credits.html
docs/en/html/credits.html
+2
-2
docs/en/html/cust-change-permissions.html
docs/en/html/cust-change-permissions.html
+2
-2
docs/en/html/cust-skins.html
docs/en/html/cust-skins.html
+2
-2
docs/en/html/cust-templates.html
docs/en/html/cust-templates.html
+13
-13
docs/en/html/custom-fields.html
docs/en/html/custom-fields.html
+7
-7
docs/en/html/customization.html
docs/en/html/customization.html
+1
-1
docs/en/html/disclaimer.html
docs/en/html/disclaimer.html
+1
-1
docs/en/html/edit-values.html
docs/en/html/edit-values.html
+3
-3
docs/en/html/extensions.html
docs/en/html/extensions.html
+1
-1
docs/en/html/extraconfig.html
docs/en/html/extraconfig.html
+9
-9
docs/en/html/flags-overview.html
docs/en/html/flags-overview.html
+24
-24
docs/en/html/flags.html
docs/en/html/flags.html
+1
-1
docs/en/html/general-advice.html
docs/en/html/general-advice.html
+1
-1
docs/en/html/gfdl-0.html
docs/en/html/gfdl-0.html
+1
-1
docs/en/html/gfdl-1.html
docs/en/html/gfdl-1.html
+1
-1
docs/en/html/gfdl-10.html
docs/en/html/gfdl-10.html
+1
-1
docs/en/html/gfdl-2.html
docs/en/html/gfdl-2.html
+1
-1
docs/en/html/gfdl-3.html
docs/en/html/gfdl-3.html
+1
-1
docs/en/html/gfdl-4.html
docs/en/html/gfdl-4.html
+1
-1
docs/en/html/gfdl-5.html
docs/en/html/gfdl-5.html
+1
-1
docs/en/html/gfdl-6.html
docs/en/html/gfdl-6.html
+1
-1
docs/en/html/gfdl-7.html
docs/en/html/gfdl-7.html
+1
-1
docs/en/html/gfdl-8.html
docs/en/html/gfdl-8.html
+1
-1
docs/en/html/gfdl-9.html
docs/en/html/gfdl-9.html
+1
-1
docs/en/html/gfdl-howto.html
docs/en/html/gfdl-howto.html
+1
-1
docs/en/html/gfdl.html
docs/en/html/gfdl.html
+1
-1
docs/en/html/glossary.html
docs/en/html/glossary.html
+31
-31
docs/en/html/groups.html
docs/en/html/groups.html
+9
-9
docs/en/html/hintsandtips.html
docs/en/html/hintsandtips.html
+5
-5
docs/en/html/index.html
docs/en/html/index.html
+4
-4
docs/en/html/install-perlmodules-manual.html
docs/en/html/install-perlmodules-manual.html
+1
-1
docs/en/html/installation.html
docs/en/html/installation.html
+24
-24
docs/en/html/installing-bugzilla.html
docs/en/html/installing-bugzilla.html
+1
-1
docs/en/html/integration.html
docs/en/html/integration.html
+1
-1
docs/en/html/keywords.html
docs/en/html/keywords.html
+1
-1
docs/en/html/lifecycle.html
docs/en/html/lifecycle.html
+1
-1
docs/en/html/milestones.html
docs/en/html/milestones.html
+2
-2
docs/en/html/modules-manual-download.html
docs/en/html/modules-manual-download.html
+1
-1
docs/en/html/modules-manual-instructions.html
docs/en/html/modules-manual-instructions.html
+2
-2
docs/en/html/modules-manual-optional.html
docs/en/html/modules-manual-optional.html
+1
-1
docs/en/html/multiple-bz-dbs.html
docs/en/html/multiple-bz-dbs.html
+1
-1
docs/en/html/myaccount.html
docs/en/html/myaccount.html
+3
-3
docs/en/html/newversions.html
docs/en/html/newversions.html
+2
-2
docs/en/html/nonroot.html
docs/en/html/nonroot.html
+17
-17
docs/en/html/os-specific.html
docs/en/html/os-specific.html
+15
-15
docs/en/html/parameters.html
docs/en/html/parameters.html
+32
-32
docs/en/html/paranoid-security.html
docs/en/html/paranoid-security.html
+1
-1
docs/en/html/patches.html
docs/en/html/patches.html
+1
-1
docs/en/html/products.html
docs/en/html/products.html
+9
-9
docs/en/html/query.html
docs/en/html/query.html
+11
-11
docs/en/html/quips.html
docs/en/html/quips.html
+1
-1
docs/en/html/reporting.html
docs/en/html/reporting.html
+6
-6
docs/en/html/sanitycheck.html
docs/en/html/sanitycheck.html
+2
-2
docs/en/html/security-bugzilla.html
docs/en/html/security-bugzilla.html
+1
-1
docs/en/html/security-os.html
docs/en/html/security-os.html
+4
-4
docs/en/html/security-webserver.html
docs/en/html/security-webserver.html
+7
-7
docs/en/html/security.html
docs/en/html/security.html
+1
-1
docs/en/html/timetracking.html
docs/en/html/timetracking.html
+1
-1
docs/en/html/trbl-dbdSponge.html
docs/en/html/trbl-dbdSponge.html
+1
-1
docs/en/html/trbl-index.html
docs/en/html/trbl-index.html
+1
-1
docs/en/html/trbl-passwd-encryption.html
docs/en/html/trbl-passwd-encryption.html
+2
-2
docs/en/html/trbl-perlmodule.html
docs/en/html/trbl-perlmodule.html
+2
-2
docs/en/html/trbl-relogin-everyone.html
docs/en/html/trbl-relogin-everyone.html
+1
-1
docs/en/html/trbl-testserver.html
docs/en/html/trbl-testserver.html
+1
-1
docs/en/html/troubleshooting.html
docs/en/html/troubleshooting.html
+1
-1
docs/en/html/upgrade.html
docs/en/html/upgrade.html
+20
-20
docs/en/html/useradmin.html
docs/en/html/useradmin.html
+14
-14
docs/en/html/userpreferences.html
docs/en/html/userpreferences.html
+14
-14
docs/en/html/using-intro.html
docs/en/html/using-intro.html
+1
-1
docs/en/html/using.html
docs/en/html/using.html
+1
-1
docs/en/html/versions.html
docs/en/html/versions.html
+1
-1
docs/en/html/voting.html
docs/en/html/voting.html
+1
-1
docs/en/html/whining.html
docs/en/html/whining.html
+13
-13
docs/en/pdf/Bugzilla-Guide.pdf
docs/en/pdf/Bugzilla-Guide.pdf
+0
-0
docs/en/txt/Bugzilla-Guide.txt
docs/en/txt/Bugzilla-Guide.txt
+12
-13
docs/en/xml/bugzilla.ent
docs/en/xml/bugzilla.ent
+2
-2
lib/CGI.pm
lib/CGI.pm
+1
-1
relogin.cgi
relogin.cgi
+23
-3
showdependencytree.cgi
showdependencytree.cgi
+4
-6
t/004template.t
t/004template.t
+15
-1
template/en/default/account/auth/login-small.html.tmpl
template/en/default/account/auth/login-small.html.tmpl
+3
-1
template/en/default/account/auth/login.html.tmpl
template/en/default/account/auth/login.html.tmpl
+3
-1
template/en/default/account/cancel-token.txt.tmpl
template/en/default/account/cancel-token.txt.tmpl
+1
-1
template/en/default/admin/groups/delete.html.tmpl
template/en/default/admin/groups/delete.html.tmpl
+2
-1
template/en/default/admin/params/attachment.html.tmpl
template/en/default/admin/params/attachment.html.tmpl
+2
-2
template/en/default/admin/params/auth.html.tmpl
template/en/default/admin/params/auth.html.tmpl
+1
-1
template/en/default/admin/sudo.html.tmpl
template/en/default/admin/sudo.html.tmpl
+3
-2
template/en/default/bug/create/create.html.tmpl
template/en/default/bug/create/create.html.tmpl
+3
-0
template/en/default/bug/edit.html.tmpl
template/en/default/bug/edit.html.tmpl
+5
-0
template/en/default/email/bugmail.txt.tmpl
template/en/default/email/bugmail.txt.tmpl
+1
-1
template/en/default/email/flagmail.txt.tmpl
template/en/default/email/flagmail.txt.tmpl
+1
-1
template/en/default/extensions/name-readme.txt.tmpl
template/en/default/extensions/name-readme.txt.tmpl
+1
-1
template/en/default/global/messages.html.tmpl
template/en/default/global/messages.html.tmpl
+3
-5
template/en/default/global/user-error.html.tmpl
template/en/default/global/user-error.html.tmpl
+13
-4
template/en/default/list/edit-multiple.html.tmpl
template/en/default/list/edit-multiple.html.tmpl
+6
-1
template/en/default/list/list.html.tmpl
template/en/default/list/list.html.tmpl
+7
-5
template/en/default/pages/release-notes.html.tmpl
template/en/default/pages/release-notes.html.tmpl
+27
-0
No files found.
.bzr/README
View file @
dcf6afc5
This is a Bazaar control directory.
Do not change any files in this directory.
See http://bazaar
-vcs.org
/ for more information about Bazaar.
See http://bazaar
.canonical.com
/ for more information about Bazaar.
.bzr/checkout/dirstate
View file @
dcf6afc5
No preview for this file type
.gitignore
0 → 100644
View file @
dcf6afc5
.htaccess
/lib/*
/template/en/custom
/docs/bugzilla.ent
/docs/en/xml/bugzilla.ent
/docs/en/txt
/docs/en/html
/docs/en/pdf
/skins/custom
/graphs
/data
/localconfig
/index.html
/skins/contrib/Dusk/IE-fixes.css
/skins/contrib/Dusk/admin.css
/skins/contrib/Dusk/attachment.css
/skins/contrib/Dusk/create_attachment.css
/skins/contrib/Dusk/dependency-tree.css
/skins/contrib/Dusk/duplicates.css
/skins/contrib/Dusk/editusers.css
/skins/contrib/Dusk/enter_bug.css
/skins/contrib/Dusk/help.css
/skins/contrib/Dusk/panel.css
/skins/contrib/Dusk/page.css
/skins/contrib/Dusk/params.css
/skins/contrib/Dusk/reports.css
/skins/contrib/Dusk/show_bug.css
/skins/contrib/Dusk/search_form.css
/skins/contrib/Dusk/show_multiple.css
/skins/contrib/Dusk/summarize-time.css
.DS_Store
.gitrev
0 → 100644
View file @
dcf6afc5
fc3bcda75a19dd381af0f9d54d98645a332bccbf
\ No newline at end of file
Bugzilla/Auth.pm
View file @
dcf6afc5
...
...
@@ -108,6 +108,15 @@ sub can_logout {
return
$getter
->
can_logout
;
}
sub
login_token
{
my
(
$self
)
=
@_
;
my
$getter
=
$self
->
{
_info_getter
}
->
{
successful
};
if
(
$getter
&&
$getter
->
isa
('
Bugzilla::Auth::Login::Cookie
'))
{
return
$getter
->
login_token
;
}
return
undef
;
}
sub
user_can_create_account
{
my
(
$self
)
=
@_
;
my
$verifier
=
$self
->
{
_verifier
}
->
{
successful
};
...
...
@@ -143,7 +152,7 @@ sub _handle_login_result {
if
(
$self
->
{
_info_getter
}
->
{
successful
}
->
requires_persistence
and
!
Bugzilla
->
request_cache
->
{
auth_no_automatic_login
})
{
$self
->
{
_persister
}
->
persist_login
(
$user
);
$
user
->
{
_login_token
}
=
$
self
->
{
_persister
}
->
persist_login
(
$user
);
}
}
elsif
(
$fail_code
==
AUTH_ERROR
)
{
...
...
@@ -409,6 +418,14 @@ Params: None
Returns: C<true> if users can change their own email address,
C<false> otherwise.
=item C<login_token>
Description: If a login token was used instead of a cookie then this
will return the current login token data such as user id
and the token itself.
Params: None
Returns: A hash containing C<login_token> and C<user_id>.
=back
=head1 STRUCTURE
...
...
Bugzilla/Auth/Login/CGI.pm
View file @
dcf6afc5
...
...
@@ -14,19 +14,52 @@ use Bugzilla::Constants;
use
Bugzilla::WebService::
Constants
;
use
Bugzilla::
Util
;
use
Bugzilla::
Error
;
use
Bugzilla::
Token
;
sub
get_login_info
{
my
(
$self
)
=
@_
;
my
$params
=
Bugzilla
->
input_params
;
my
$cgi
=
Bugzilla
->
cgi
;
my
$login
=
trim
(
delete
$params
->
{'
Bugzilla_login
'});
my
$password
=
delete
$params
->
{'
Bugzilla_password
'};
# The token must match the cookie to authenticate the request.
my
$login_token
=
delete
$params
->
{'
Bugzilla_login_token
'};
my
$login_cookie
=
$cgi
->
cookie
('
Bugzilla_login_request_cookie
');
my
$username
=
trim
(
delete
$params
->
{"
Bugzilla_login
"});
my
$password
=
delete
$params
->
{"
Bugzilla_password
"};
my
$valid
=
0
;
# If the web browser accepts cookies, use them.
if
(
$login_token
&&
$login_cookie
)
{
my
(
$time
,
undef
)
=
split
(
/-/
,
$login_token
);
# Regenerate the token based on the information we have.
my
$expected_token
=
issue_hash_token
(['
login_request
',
$login_cookie
],
$time
);
$valid
=
1
if
$expected_token
eq
$login_token
;
$cgi
->
remove_cookie
('
Bugzilla_login_request_cookie
');
}
# WebServices and other local scripts can bypass this check.
# This is safe because we won't store a login cookie in this case.
elsif
(
Bugzilla
->
usage_mode
!=
USAGE_MODE_BROWSER
)
{
$valid
=
1
;
}
# Else falls back to the Referer header and accept local URLs.
# Attachments are served from a separate host (ideally), and so
# an evil attachment cannot abuse this check with a redirect.
elsif
(
my
$referer
=
$cgi
->
referer
)
{
my
$urlbase
=
correct_urlbase
();
$valid
=
1
if
$referer
=~
/^\Q$urlbase\E/
;
}
# If the web browser doesn't accept cookies and the Referer header
# is missing, we have no way to make sure that the authentication
# request comes from the user.
elsif
(
$login
&&
$password
)
{
ThrowUserError
('
auth_untrusted_request
',
{
login
=>
$login
});
}
if
(
!
defined
$username
||
!
defined
$passwor
d
)
{
if
(
!
$login
||
!
$password
||
!
$vali
d
)
{
return
{
failure
=>
AUTH_NODATA
};
}
return
{
username
=>
$
username
,
password
=>
$password
};
return
{
username
=>
$
login
,
password
=>
$password
};
}
sub
fail_nodata
{
...
...
Bugzilla/Auth/Login/Cookie.pm
View file @
dcf6afc5
...
...
@@ -6,8 +6,11 @@
# defined by the Mozilla Public License, v. 2.0.
package
Bugzilla::Auth::Login::
Cookie
;
use
strict
;
use
base
qw(Bugzilla::Auth::Login)
;
use
fields
qw(_login_token)
;
use
Bugzilla::
Constants
;
use
Bugzilla::
Util
;
...
...
@@ -17,7 +20,8 @@ use List::Util qw(first);
use
constant
requires_persistence
=>
0
;
use
constant
requires_verification
=>
0
;
use
constant
can_login
=>
0
;
use
constant
is_automatic
=>
1
;
sub
is_automatic
{
return
$_
[
0
]
->
login_token
?
0
:
1
;
}
# Note that Cookie never consults the Verifier, it always assumes
# it has a valid DB account or it fails.
...
...
@@ -25,24 +29,35 @@ sub get_login_info {
my
(
$self
)
=
@_
;
my
$cgi
=
Bugzilla
->
cgi
;
my
$dbh
=
Bugzilla
->
dbh
;
my
(
$user_id
,
$login_cookie
);
my
$ip_addr
=
remote_ip
();
my
$login_cookie
=
$cgi
->
cookie
("
Bugzilla_logincookie
");
my
$user_id
=
$cgi
->
cookie
("
Bugzilla_login
");
if
(
!
Bugzilla
->
request_cache
->
{
auth_no_automatic_login
})
{
$login_cookie
=
$cgi
->
cookie
("
Bugzilla_logincookie
");
$user_id
=
$cgi
->
cookie
("
Bugzilla_login
");
# If cookies cannot be found, this could mean that they haven't
# been made available yet. In this case, look at Bugzilla_cookie_list.
unless
(
$login_cookie
)
{
my
$cookie
=
first
{
$_
->
name
eq
'
Bugzilla_logincookie
'}
@
{
$cgi
->
{'
Bugzilla_cookie_list
'}};
$login_cookie
=
$cookie
->
value
if
$cookie
;
# If cookies cannot be found, this could mean that they haven't
# been made available yet. In this case, look at Bugzilla_cookie_list.
unless
(
$login_cookie
)
{
my
$cookie
=
first
{
$_
->
name
eq
'
Bugzilla_logincookie
'}
@
{
$cgi
->
{'
Bugzilla_cookie_list
'}};
$login_cookie
=
$cookie
->
value
if
$cookie
;
}
unless
(
$user_id
)
{
my
$cookie
=
first
{
$_
->
name
eq
'
Bugzilla_login
'}
@
{
$cgi
->
{'
Bugzilla_cookie_list
'}};
$user_id
=
$cookie
->
value
if
$cookie
;
}
}
unless
(
$user_id
)
{
my
$cookie
=
first
{
$_
->
name
eq
'
Bugzilla_login
'}
@
{
$cgi
->
{'
Bugzilla_cookie_list
'}};
$user_id
=
$cookie
->
value
if
$cookie
;
# If no cookies were provided, we also look for a login token
# passed in the parameters of a webservice
my
$token
=
$self
->
login_token
;
if
(
$token
&&
(
!
$login_cookie
||
!
$user_id
))
{
(
$user_id
,
$login_cookie
)
=
(
$token
->
{'
user_id
'},
$token
->
{'
login_token
'});
}
my
$ip_addr
=
remote_ip
();
if
(
$login_cookie
&&
$user_id
)
{
# Anything goes for these params - they're just strings which
# we're going to verify against the db
...
...
@@ -75,4 +90,32 @@ sub get_login_info {
return
{
failure
=>
AUTH_NODATA
};
}
sub
login_token
{
my
(
$self
)
=
@_
;
my
$input
=
Bugzilla
->
input_params
;
my
$usage_mode
=
Bugzilla
->
usage_mode
;
return
$self
->
{'
_login_token
'}
if
exists
$self
->
{'
_login_token
'};
if
(
$usage_mode
ne
USAGE_MODE_XMLRPC
&&
$usage_mode
ne
USAGE_MODE_JSON
)
{
return
$self
->
{'
_login_token
'}
=
undef
;
}
# Check if a token was passed in via requests for WebServices
my
$token
=
trim
(
delete
$input
->
{'
Bugzilla_token
'});
return
$self
->
{'
_login_token
'}
=
undef
if
!
$token
;
my
(
$user_id
,
$login_token
)
=
split
('
-
',
$token
,
2
);
if
(
!
detaint_natural
(
$user_id
)
||
!
$login_token
)
{
return
$self
->
{'
_login_token
'}
=
undef
;
}
return
$self
->
{'
_login_token
'}
=
{
user_id
=>
$user_id
,
login_token
=>
$login_token
};
}
1
;
Bugzilla/Auth/Persist/Cookie.pm
View file @
dcf6afc5
...
...
@@ -52,6 +52,10 @@ sub persist_login {
$dbh
->
bz_commit_transaction
();
# We do not want WebServices to generate login cookies.
# All we need is the login token for User.login.
return
$login_cookie
if
i_am_webservice
();
# Prevent JavaScript from accessing login cookies.
my
%cookieargs
=
('
-httponly
'
=>
1
);
...
...
@@ -84,6 +88,7 @@ sub logout {
my
$dbh
=
Bugzilla
->
dbh
;
my
$cgi
=
Bugzilla
->
cgi
;
my
$input
=
Bugzilla
->
input_params
;
$param
=
{}
unless
$param
;
my
$user
=
$param
->
{
user
}
||
Bugzilla
->
user
;
my
$type
=
$param
->
{
type
}
||
LOGOUT_ALL
;
...
...
@@ -97,16 +102,24 @@ sub logout {
# The LOGOUT_*_CURRENT options require the current login cookie.
# If a new cookie has been issued during this run, that's the current one.
# If not, it's the one we've received.
my
@login_cookies
;
my
$cookie
=
first
{
$_
->
name
eq
'
Bugzilla_logincookie
'}
@
{
$cgi
->
{'
Bugzilla_cookie_list
'}};
my
$login_cookie
;
if
(
$cookie
)
{
$login_cookie
=
$cookie
->
value
;
push
(
@login_cookies
,
$cookie
->
value
);
}
elsif
(
$cookie
=
$cgi
->
cookie
("
Bugzilla_logincookie
"))
{
push
(
@login_cookies
,
$cookie
);
}
else
{
$login_cookie
=
$cgi
->
cookie
("
Bugzilla_logincookie
")
||
'';
# If we are a webservice using a token instead of cookie
# then add that as well to the login cookies to delete
if
(
my
$login_token
=
$user
->
authorizer
->
login_token
)
{
push
(
@login_cookies
,
$login_token
->
{'
login_token
'});
}
trick_taint
(
$login_cookie
);
# Make sure that @login_cookies is not empty to not break SQL statements.
push
(
@login_cookies
,
'')
unless
@login_cookies
;
# These queries use both the cookie ID and the user ID as keys. Even
# though we know the userid must match, we still check it in the SQL
...
...
@@ -115,12 +128,18 @@ sub logout {
# logged in and got the same cookie, we could be logging the other
# user out here. Yes, this is very very very unlikely, but why take
# chances? - bbaetz
map
{
trick_taint
(
$_
)
}
@login_cookies
;
@login_cookies
=
map
{
$dbh
->
quote
(
$_
)
}
@login_cookies
;
if
(
$type
==
LOGOUT_KEEP_CURRENT
)
{
$dbh
->
do
("
DELETE FROM logincookies WHERE cookie != ? AND userid = ?
",
undef
,
$login_cookie
,
$user
->
id
);
$dbh
->
do
("
DELETE FROM logincookies WHERE
"
.
$dbh
->
sql_in
('
cookie
',
\
@login_cookies
,
1
)
.
"
AND userid = ?
",
undef
,
$user
->
id
);
}
elsif
(
$type
==
LOGOUT_CURRENT
)
{
$dbh
->
do
("
DELETE FROM logincookies WHERE cookie = ? AND userid = ?
",
undef
,
$login_cookie
,
$user
->
id
);
$dbh
->
do
("
DELETE FROM logincookies WHERE
"
.
$dbh
->
sql_in
('
cookie
',
\
@login_cookies
)
.
"
AND userid = ?
",
undef
,
$user
->
id
);
}
else
{
die
("
Invalid type
$type
supplied to logout()
");
}
...
...
@@ -128,7 +147,6 @@ sub logout {
if
(
$type
!=
LOGOUT_KEEP_CURRENT
)
{
clear_browser_cookies
();
}
}
sub
clear_browser_cookies
{
...
...
Bugzilla/Bug.pm
View file @
dcf6afc5
...
...
@@ -511,8 +511,10 @@ sub possible_duplicates {
my
$dbh
=
Bugzilla
->
dbh
;
my
$user
=
Bugzilla
->
user
;
my
@words
=
split
(
/[\b\s]+/
,
$short_desc
||
'');
# Exclude punctuation from the array.
@words
=
map
{
/(\w+)/
;
$
1
}
@words
;
# Remove leading/trailing punctuation from words
foreach
my
$word
(
@words
)
{
$word
=~
s/(?:^\W+|\W+$)//g
;
}
# And make sure that each word is longer than 2 characters.
@words
=
grep
{
defined
$_
and
length
(
$_
)
>
2
}
@words
;
...
...
@@ -2747,31 +2749,23 @@ sub add_comment {
push
(
@
{
$self
->
{
added_comments
}},
$params
);
}
# There was a lot of duplicate code when I wrote this as three separate
# functions, so I just combined them all into one. This is also easier for
# process_bug to use.
sub
modify_keywords
{
my
(
$self
,
$keywords
,
$action
)
=
@_
;
$action
||=
'
set
';
if
(
!
grep
(
$action
eq
$_
,
qw(add remove set)
))
{
if
(
!
$action
||
!
grep
{
$action
eq
$_
}
qw(add remove set)
)
{
$action
=
'
set
';
}
$keywords
=
$self
->
_check_keywords
(
$keywords
);
my
@old_keywords
=
@
{
$self
->
keyword_objects
};
my
@result
;
my
(
@result
,
$any_changes
);
if
(
$action
eq
'
set
')
{
@result
=
@$keywords
;
# Check if anything was added or removed.
my
@old_ids
=
map
{
$_
->
id
}
@
{
$self
->
keyword_objects
};
my
@new_ids
=
map
{
$_
->
id
}
@result
;
my
(
$removed
,
$added
)
=
diff_arrays
(
\
@old_ids
,
\
@new_ids
);
$any_changes
=
scalar
@$removed
||
scalar
@$added
;
}
else
{
# We're adding or deleting specific keywords.
my
%keys
=
map
{
$_
->
id
=>
$_
}
@
{
$self
->
keyword_objects
}
;
my
%keys
=
map
{
$_
->
id
=>
$_
}
@old_keywords
;
if
(
$action
eq
'
add
')
{
$keys
{
$_
->
id
}
=
$_
foreach
@$keywords
;
}
...
...
@@ -2779,11 +2773,17 @@ sub modify_keywords {
delete
$keys
{
$_
->
id
}
foreach
@$keywords
;
}
@result
=
values
%keys
;
$any_changes
=
scalar
@$keywords
;
}
# Check if anything was added or removed.
my
@old_ids
=
map
{
$_
->
id
}
@old_keywords
;
my
@new_ids
=
map
{
$_
->
id
}
@result
;
my
(
$removed
,
$added
)
=
diff_arrays
(
\
@old_ids
,
\
@new_ids
);
my
$any_changes
=
scalar
@$removed
||
scalar
@$added
;
# Make sure we retain the sort order.
@result
=
sort
{
lc
(
$a
->
name
)
cmp
lc
(
$b
->
name
)}
@result
;
if
(
$any_changes
)
{
my
$privs
;
my
$new
=
join
('
,
',
(
map
{
$_
->
name
}
@result
));
...
...
@@ -3776,17 +3776,24 @@ sub editable_bug_fields {
# Join with bug_status and bugs tables to show bugs with open statuses first,
# and then the others
sub
EmitDependList
{
my
(
$myfield
,
$targetfield
,
$bug_id
)
=
(
@
_
);
my
(
$my_field
,
$target_field
,
$bug_id
,
$exclude_resolved
)
=
@_
;
my
$cache
=
Bugzilla
->
request_cache
->
{
bug_dependency_list
}
||=
{};
my
$dbh
=
Bugzilla
->
dbh
;
my
$list_ref
=
$dbh
->
selectcol_arrayref
(
"
SELECT
$targetfield
$exclude_resolved
=
$exclude_resolved
?
1
:
0
;
my
$is_open_clause
=
$exclude_resolved
?
'
AND is_open = 1
'
:
'';
$cache
->
{"
${target_field}
_sth_
$exclude_resolved
"}
||=
$dbh
->
prepare
(
"
SELECT
$target_field
FROM dependencies
INNER JOIN bugs ON dependencies.
$targetfield
= bugs.bug_id
INNER JOIN bugs ON dependencies.
$target
_
field
= bugs.bug_id
INNER JOIN bug_status ON bugs.bug_status = bug_status.value
WHERE
$myfield
= ?
ORDER BY is_open DESC,
$targetfield
",
undef
,
$bug_id
);
return
$list_ref
;
WHERE
$my_field
= ?
$is_open_clause
ORDER BY is_open DESC,
$target_field
");
return
$dbh
->
selectcol_arrayref
(
$cache
->
{"
${target_field}
_sth_
$exclude_resolved
"},
undef
,
$bug_id
);
}
# Creates a lot of bug objects in the same order as the input array.
...
...
Bugzilla/CGI.pm
View file @
dcf6afc5
...
...
@@ -286,6 +286,7 @@ sub close_standby_message {
# Override header so we can add the cookies in
sub
header
{
my
$self
=
shift
;
my
$user
=
Bugzilla
->
user
;
# If there's only one parameter, then it's a Content-Type.
if
(
scalar
(
@
_
)
==
1
)
{
...
...
@@ -293,6 +294,18 @@ sub header {
unshift
(
@
_
,
'
-type
'
=>
shift
(
@
_
));
}
if
(
!
$user
->
id
&&
$user
->
authorizer
->
can_login
&&
!
$self
->
cookie
('
Bugzilla_login_request_cookie
'))
{
my
%args
;
$args
{'
-secure
'}
=
1
if
Bugzilla
->
params
->
{
ssl_redirect
};
$self
->
send_cookie
(
-
name
=>
'
Bugzilla_login_request_cookie
',
-
value
=>
generate_random_password
(),
-
httponly
=>
1
,
%args
);
}
# Add the cookies in if we have any
if
(
scalar
(
@
{
$self
->
{
Bugzilla_cookie_list
}}))
{
unshift
(
@
_
,
'
-cookie
'
=>
$self
->
{
Bugzilla_cookie_list
});
...
...
Bugzilla/Constants.pm
View file @
dcf6afc5
...
...
@@ -182,7 +182,7 @@ use Memoize;
# CONSTANTS
#
# Bugzilla version
use
constant
BUGZILLA_VERSION
=>
"
4.4.
2
";
use
constant
BUGZILLA_VERSION
=>
"
4.4.
3
";
# Location of the remote and local XML files to track new releases.
use
constant
REMOTE_FILE
=>
'
http://updates.bugzilla.org/bugzilla-update.xml
';
...
...
Bugzilla/Template.pm
View file @
dcf6afc5
...
...
@@ -645,6 +645,17 @@ sub create {
my
(
$data
)
=
@_
;
return
encode_base64
(
$data
);
},
# Strips out control characters excepting whitespace
strip_control_chars
=>
sub
{
my
(
$data
)
=
@_
;
# Only run for utf8 to avoid issues with other multibyte encodings
# that may be reassigning meaning to ascii characters.
if
(
Bugzilla
->
params
->
{'
utf8
'})
{
$data
=~
s/(?![\t\r\n])[[:cntrl:]]//g
;
}
return
$data
;
},
# HTML collapses newlines in element attributes to a single space,
# so form elements which may have whitespace (ie comments) need
...
...
@@ -889,6 +900,11 @@ sub create {
# Allow templates to generate a token themselves.
'
issue_hash_token
'
=>
\
&
Bugzilla::Token::
issue_hash_token
,
'
get_login_request_token
'
=>
sub
{
my
$cookie
=
Bugzilla
->
cgi
->
cookie
('
Bugzilla_login_request_cookie
');
return
$cookie
?
issue_hash_token
(['
login_request
',
$cookie
])
:
'';
},
# A way for all templates to get at Field data, cached.
'
bug_fields
'
=>
sub
{
my
$cache
=
Bugzilla
->
request_cache
;
...
...
Bugzilla/Util.pm
View file @
dcf6afc5
...
...
@@ -13,8 +13,8 @@ use base qw(Exporter);
@
Bugzilla::Util::
EXPORT
=
qw(trick_taint detaint_natural detaint_signed
html_quote url_quote xml_quote
css_class_quote html_light_quote
i_am_cgi
correct_urlbase remote_ip valida
te_ip
do_ssl_redirect_if_required use_attachbase
i_am_cgi
i_am_webservice correct_urlbase remo
te_ip
validate_ip
do_ssl_redirect_if_required use_attachbase
diff_arrays on_main_db say
trim wrap_hard wrap_comment find_wrap_point
format_time validate_date validate_time datetime_from
...
...
@@ -68,6 +68,10 @@ sub html_quote {
# Obscure '@'.
$var
=~
s/\@/\@/g
;
if
(
Bugzilla
->
params
->
{'
utf8
'})
{
# Remove control characters if the encoding is utf8.
# Other multibyte encodings may be using this range; so ignore if not utf8.
$var
=~
s/(?![\t\r\n])[[:cntrl:]]//g
;
# Remove the following characters because they're
# influencing BiDi:
# --------------------------------------------------------
...
...
@@ -230,6 +234,12 @@ sub i_am_cgi {
return
exists
$ENV
{'
SERVER_SOFTWARE
'}
?
1
:
0
;
}
sub
i_am_webservice
{
my
$usage_mode
=
Bugzilla
->
usage_mode
;
return
$usage_mode
==
USAGE_MODE_XMLRPC
||
$usage_mode
==
USAGE_MODE_JSON
;
}
# This exists as a separate function from Bugzilla::CGI::redirect_to_https
# because we don't want to create a CGI object during XML-RPC calls
# (doing so can mess up XML-RPC).
...
...
@@ -862,6 +872,7 @@ Bugzilla::Util - Generic utility functions for bugzilla
# Functions that tell you about your environment
my $is_cgi = i_am_cgi();
my $is_webservice = i_am_webservice();
my $urlbase = correct_urlbase();
# Data manipulation
...
...
@@ -989,6 +1000,11 @@ Tells you whether or not you are being run as a CGI script in a web
server. For example, it would return false if the caller is running
in a command-line script.
=item C<i_am_webservice()>
Tells you whether or not the current usage mode is WebServices related
such as JSONRPC or XMLRPC.
=item C<correct_urlbase()>
Returns either the C<sslbase> or C<urlbase> parameter, depending on the
...
...
Bugzilla/WebService.pm
View file @
dcf6afc5
...
...
@@ -128,9 +128,7 @@ There are various ways to log in:
=item C<User.login>
You can use L<Bugzilla::WebService::User/login> to log in as a Bugzilla
user. This issues standard HTTP cookies that you must then use in future
calls, so your client must be capable of receiving and transmitting
cookies.
user. This issues a token that you must then use in future calls.
=item C<Bugzilla_login> and C<Bugzilla_password>
...
...
@@ -150,19 +148,21 @@ WebService method to perform a login:
=item C<Bugzilla_restrictlogin> (boolean) - Optional. If true,
then your login will only be valid for your IP address.
=item C<Bugzilla_rememberlogin> (boolean) - Optional. If true,
then the cookie sent back to you with the method response will
not expire.
=back
The C<Bugzilla_restrictlogin> and C<Bugzilla_rememberlogin> options
are only used when you have also specified C<Bugzilla_login> and
C<Bugzilla_password>.
The C<Bugzilla_restrictlogin> option is only used when you have also
specified C<Bugzilla_login> and C<Bugzilla_password>.
=item C<Bugzilla_token>
B<Added in Bugzilla 5.0 and backported to 4.4.3>
You can specify C<Bugzilla_token> as argument to any WebService method,
and you will be logged in as that user if the token is correct. This is
the token returned when calling C<User.login> mentioned above.
Note that Bugzilla will return HTTP cookies along with the method
response when you use these arguments (just like the C<User.login> method
above).
Support for using login cookies for authentication has been dropped
for security reasons.