projects
/
kivitendo-erp.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
58fdd50
)
Das Benutzer-Passwort nicht im Klartext in Session-Tabelle ablegen
author
Moritz Bunkus
<m.bunkus@linet-services.de>
Thu, 16 Jun 2011 08:18:16 +0000
(10:18 +0200)
committer
Moritz Bunkus
<m.bunkus@linet-services.de>
Thu, 16 Jun 2011 08:18:16 +0000
(10:18 +0200)
SL/Auth.pm
patch
|
blob
|
history
SL/Auth/DB.pm
patch
|
blob
|
history
SL/Auth/LDAP.pm
patch
|
blob
|
history
SL/Auth/Password.pm
patch
|
blob
|
history
SL/Dispatcher.pm
patch
|
blob
|
history
bin/mozilla/login.pl
patch
|
blob
|
history
diff --git
a/SL/Auth.pm
b/SL/Auth.pm
index
784b185
..
3ff6a1c
100644
(file)
--- a/
SL/Auth.pm
+++ b/
SL/Auth.pm
@@
-11,6
+11,7
@@
use YAML;
use SL::Auth::Constants qw(:all);
use SL::Auth::DB;
use SL::Auth::LDAP;
use SL::Auth::Constants qw(:all);
use SL::Auth::DB;
use SL::Auth::LDAP;
+use SL::Auth::Password;
use SL::SessionFile;
use SL::User;
use SL::SessionFile;
use SL::User;
@@
-163,6
+164,15
@@
sub authenticate {
return $result;
}
return $result;
}
+sub store_credentials_in_session {
+ my ($self, %params) = @_;
+
+ $params{password} = SL::Auth::Password->hash_if_unhashed(login => $params{login}, password => $params{password})
+ unless $self->{authenticator}->requires_cleartext_password;
+
+ $self->set_session_value(login => $params{login}, password => $params{password});
+}
+
sub dbconnect {
$main::lxdebug->enter_sub(2);
sub dbconnect {
$main::lxdebug->enter_sub(2);
diff --git
a/SL/Auth/DB.pm
b/SL/Auth/DB.pm
index
e70112b
..
66d23cd
100644
(file)
--- a/
SL/Auth/DB.pm
+++ b/
SL/Auth/DB.pm
@@
-48,7
+48,7
@@
sub authenticate {
# passwords. Hash it for easier comparison.
$stored_password = SL::Auth::Password->hash(password => $stored_password) unless $stored_password;
($algorithm, $stored_password) = SL::Auth::Password->parse($stored_password);
# passwords. Hash it for easier comparison.
$stored_password = SL::Auth::Password->hash(password => $stored_password) unless $stored_password;
($algorithm, $stored_password) = SL::Auth::Password->parse($stored_password);
- ($algorithm2, $password) = SL::Auth::Password->parse(SL::Auth::Password->hash(password => $password, algorithm => $algorithm, login => $login));
+ ($algorithm2, $password) = SL::Auth::Password->parse(SL::Auth::Password->hash
_if_unhashed
(password => $password, algorithm => $algorithm, login => $login));
$main::lxdebug->leave_sub();
$main::lxdebug->leave_sub();
@@
-59,6
+59,10
@@
sub can_change_password {
return 1;
}
return 1;
}
+sub requires_cleartext_password {
+ return 0;
+}
+
sub change_password {
$main::lxdebug->enter_sub();
sub change_password {
$main::lxdebug->enter_sub();
diff --git
a/SL/Auth/LDAP.pm
b/SL/Auth/LDAP.pm
index
70e963d
..
1c8c851
100644
(file)
--- a/
SL/Auth/LDAP.pm
+++ b/
SL/Auth/LDAP.pm
@@
-180,6
+180,10
@@
sub can_change_password {
return 0;
}
return 0;
}
+sub requires_cleartext_password {
+ return 1;
+}
+
sub change_password {
return ERR_BACKEND;
}
sub change_password {
return ERR_BACKEND;
}
diff --git
a/SL/Auth/Password.pm
b/SL/Auth/Password.pm
index
9b0f1ae
..
5a17203
100644
(file)
--- a/
SL/Auth/Password.pm
+++ b/
SL/Auth/Password.pm
@@
-35,11
+35,19
@@
sub hash {
}
}
}
}
+sub hash_if_unhashed {
+ my ($class, %params) = @_;
+
+ my ($algorithm, $password) = $class->parse($params{password}, 'NONE');
+
+ return $algorithm eq 'NONE' ? $class->hash(%params) : $params{password};
+}
+
sub parse {
sub parse {
- my ($class, $password) = @_;
+ my ($class, $password
, $default_algorithm
) = @_;
return ($1, $2) if $password =~ m/^\{ ([^\}]+) \} (.+)/x;
return ($1, $2) if $password =~ m/^\{ ([^\}]+) \} (.+)/x;
- return ('CRYPT', $password);
+ return (
$default_algorithm ||
'CRYPT', $password);
}
1;
}
1;
diff --git
a/SL/Dispatcher.pm
b/SL/Dispatcher.pm
index
76fcf6f
..
239cdcb
100644
(file)
--- a/
SL/Dispatcher.pm
+++ b/
SL/Dispatcher.pm
@@
-202,7
+202,7
@@
sub handle_request {
show_error('login/password_error', 'password') if SL::Auth::OK != $::auth->authenticate($::form->{login}, $::form->{password});
show_error('login/password_error', 'password') if SL::Auth::OK != $::auth->authenticate($::form->{login}, $::form->{password});
- $::auth->s
et_session_value('login', $::form->{login}, 'password',
$::form->{password});
+ $::auth->s
tore_credentials_in_session(login => $::form->{login}, password =>
$::form->{password});
$::auth->create_or_refresh_session;
$::auth->delete_session_value('FLASH');
delete $::form->{password};
$::auth->create_or_refresh_session;
$::auth->delete_session_value('FLASH');
delete $::form->{password};
diff --git
a/bin/mozilla/login.pl
b/bin/mozilla/login.pl
index
03e6dd9
..
528c4eb
100644
(file)
--- a/
bin/mozilla/login.pl
+++ b/
bin/mozilla/login.pl
@@
-69,8
+69,9
@@
sub run {
$form->{error_message} = $::locale->text('Incorrect username or password!');
login_screen();
} else {
$form->{error_message} = $::locale->text('Incorrect username or password!');
login_screen();
} else {
- $auth->s
et_session_value('login', $form->{login}, 'password',
$form->{password});
+ $auth->s
tore_credentials_in_session(login => $form->{login}, password =>
$form->{password});
$auth->create_or_refresh_session();
$auth->create_or_refresh_session();
+ delete $form->{password};
$form->{titlebar} .= " - $::myconfig{name} - $::myconfig{dbname}";
call_sub($::locale->findsub($action));
$form->{titlebar} .= " - $::myconfig{name} - $::myconfig{dbname}";
call_sub($::locale->findsub($action));