From: Moritz Bunkus Date: Thu, 16 Jun 2011 08:27:14 +0000 (+0200) Subject: Das Admin-Passwort nicht im Klartext in Session-Tabelle ablegen X-Git-Tag: release-2.7.0beta1~394^2 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=38a4efa72af13521bba89c82c1c7e6dd00644f2d;p=kivitendo-erp.git Das Admin-Passwort nicht im Klartext in Session-Tabelle ablegen --- diff --git a/SL/Auth.pm b/SL/Auth.pm index 3ff6a1c3b..5f3c65dd8 100644 --- a/SL/Auth.pm +++ b/SL/Auth.pm @@ -137,12 +137,10 @@ sub _read_auth_config { sub authenticate_root { $main::lxdebug->enter_sub(); - my $self = shift; - my $password = shift; - my $is_crypted = shift; + my ($self, $password) = @_; - $password = crypt $password, 'ro' if (!$password || !$is_crypted); - my $admin_password = crypt "$self->{admin_password}", 'ro'; + $password = SL::Auth::Password->hash_if_unhashed(login => 'root', password => $password); + my $admin_password = SL::Auth::Password->hash_if_unhashed(login => 'root', password => $self->{admin_password}); $main::lxdebug->leave_sub(); @@ -173,6 +171,15 @@ sub store_credentials_in_session { $self->set_session_value(login => $params{login}, password => $params{password}); } +sub store_root_credentials_in_session { + my ($self, $rpw) = @_; + + $rpw = SL::Auth::Password->hash_if_unhashed(login => 'root', password => $rpw) + unless $self->{authenticator}->requires_cleartext_password; + + $self->set_session_value(rpw => $rpw); +} + sub dbconnect { $main::lxdebug->enter_sub(2); diff --git a/bin/mozilla/admin.pl b/bin/mozilla/admin.pl index efd16fecf..4be5e330f 100755 --- a/bin/mozilla/admin.pl +++ b/bin/mozilla/admin.pl @@ -73,7 +73,7 @@ sub run { $locale = $::locale; $auth = $::auth; - $::auth->set_session_value('rpw', $::form->{rpw}) if $session_result == SL::Auth->SESSION_OK; + $::auth->store_root_credentials_in_session($form->{rpw}) if $session_result == SL::Auth->SESSION_OK; $form->{stylesheet} = "lx-office-erp.css"; $form->{favicon} = "favicon.ico"; @@ -81,11 +81,12 @@ sub run { if ($form->{action}) { if ($auth->authenticate_root($form->{rpw}) != $auth->OK()) { $form->{error_message} = $locale->text('Incorrect Password!'); + $auth->delete_session_value('rpw'); adminlogin(); } else { if ($auth->session_tables_present()) { - $::auth->set_session_value('rpw', $::form->{rpw}); - $::auth->create_or_refresh_session(); + $::auth->store_root_credentials_in_session($::form->{rpw}); + delete $::form->{rpw}; _apply_dbupgrade_scripts(); }