Das Benutzer-Passwort nicht im Klartext in Session-Tabelle ablegen

diff --git a/SL/Auth.pm b/SL/Auth.pm
index 784b185..3ff6a1c 100644 (file)
--- a/SL/Auth.pm
+++ b/SL/Auth.pm
@@ -11,6 +11,7 @@ use YAML;
 use SL::Auth::Constants qw(:all);
 use SL::Auth::DB;
 use SL::Auth::LDAP;
+use SL::Auth::Password;
 
 use SL::SessionFile;
 use SL::User;
@@ -163,6 +164,15 @@ sub authenticate {
   return $result;
 }
 
+sub store_credentials_in_session {
+  my ($self, %params) = @_;
+
+  $params{password} = SL::Auth::Password->hash_if_unhashed(login => $params{login}, password => $params{password})
+    unless $self->{authenticator}->requires_cleartext_password;
+
+  $self->set_session_value(login => $params{login}, password => $params{password});
+}
+
 sub dbconnect {
   $main::lxdebug->enter_sub(2);
 

diff --git a/SL/Auth/DB.pm b/SL/Auth/DB.pm
index e70112b..66d23cd 100644 (file)
--- a/SL/Auth/DB.pm
+++ b/SL/Auth/DB.pm
@@ -48,7 +48,7 @@ sub authenticate {
   # passwords. Hash it for easier comparison.
   $stored_password               = SL::Auth::Password->hash(password => $stored_password) unless $stored_password;
   ($algorithm, $stored_password) = SL::Auth::Password->parse($stored_password);
-  ($algorithm2, $password)       = SL::Auth::Password->parse(SL::Auth::Password->hash(password => $password, algorithm => $algorithm, login => $login));
+  ($algorithm2, $password)       = SL::Auth::Password->parse(SL::Auth::Password->hash_if_unhashed(password => $password, algorithm => $algorithm, login => $login));
 
   $main::lxdebug->leave_sub();
 
@@ -59,6 +59,10 @@ sub can_change_password {
   return 1;
 }
 
+sub requires_cleartext_password {
+  return 0;
+}
+
 sub change_password {
   $main::lxdebug->enter_sub();
 

diff --git a/SL/Auth/LDAP.pm b/SL/Auth/LDAP.pm
index 70e963d..1c8c851 100644 (file)
--- a/SL/Auth/LDAP.pm
+++ b/SL/Auth/LDAP.pm
@@ -180,6 +180,10 @@ sub can_change_password {
   return 0;
 }
 
+sub requires_cleartext_password {
+  return 1;
+}
+
 sub change_password {
   return ERR_BACKEND;
 }

diff --git a/SL/Auth/Password.pm b/SL/Auth/Password.pm
index 9b0f1ae..5a17203 100644 (file)
--- a/SL/Auth/Password.pm
+++ b/SL/Auth/Password.pm
@@ -35,11 +35,19 @@ sub hash {
   }
 }
 
+sub hash_if_unhashed {
+  my ($class, %params) = @_;
+
+  my ($algorithm, $password) = $class->parse($params{password}, 'NONE');
+
+  return $algorithm eq 'NONE' ? $class->hash(%params) : $params{password};
+}
+
 sub parse {
-  my ($class, $password) = @_;
+  my ($class, $password, $default_algorithm) = @_;
 
   return ($1, $2) if $password =~ m/^\{ ([^\}]+) \} (.+)/x;
-  return ('CRYPT', $password);
+  return ($default_algorithm || 'CRYPT', $password);
 }
 
 1;

diff --git a/SL/Dispatcher.pm b/SL/Dispatcher.pm
index 76fcf6f..239cdcb 100644 (file)
--- a/SL/Dispatcher.pm
+++ b/SL/Dispatcher.pm
@@ -202,7 +202,7 @@ sub handle_request {
 
       show_error('login/password_error', 'password') if SL::Auth::OK != $::auth->authenticate($::form->{login}, $::form->{password});
 
-      $::auth->set_session_value('login', $::form->{login}, 'password', $::form->{password});
+      $::auth->store_credentials_in_session(login => $::form->{login}, password => $::form->{password});
       $::auth->create_or_refresh_session;
       $::auth->delete_session_value('FLASH');
       delete $::form->{password};

diff --git a/bin/mozilla/login.pl b/bin/mozilla/login.pl
index 03e6dd9..528c4eb 100644 (file)
--- a/bin/mozilla/login.pl
+++ b/bin/mozilla/login.pl
@@ -69,8 +69,9 @@ sub run {
       $form->{error_message} = $::locale->text('Incorrect username or password!');
       login_screen();
     } else {
-      $auth->set_session_value('login', $form->{login}, 'password', $form->{password});
+      $auth->store_credentials_in_session(login => $form->{login}, password => $form->{password});
       $auth->create_or_refresh_session();
+      delete $form->{password};
 
       $form->{titlebar} .= " - $::myconfig{name} - $::myconfig{dbname}";
       call_sub($::locale->findsub($action));