From d0c2cfbef2bfa708dad6df15c76daa81d4fda3ab Mon Sep 17 00:00:00 2001 From: Moritz Bunkus Date: Thu, 16 Jun 2011 10:18:16 +0200 Subject: [PATCH] Das Benutzer-Passwort nicht im Klartext in Session-Tabelle ablegen --- SL/Auth.pm | 10 ++++++++++ SL/Auth/DB.pm | 6 +++++- SL/Auth/LDAP.pm | 4 ++++ SL/Auth/Password.pm | 12 ++++++++++-- SL/Dispatcher.pm | 2 +- bin/mozilla/login.pl | 3 ++- 6 files changed, 32 insertions(+), 5 deletions(-) diff --git a/SL/Auth.pm b/SL/Auth.pm index 784b185b4..3ff6a1c3b 100644 --- a/SL/Auth.pm +++ b/SL/Auth.pm @@ -11,6 +11,7 @@ use YAML; use SL::Auth::Constants qw(:all); use SL::Auth::DB; use SL::Auth::LDAP; +use SL::Auth::Password; use SL::SessionFile; use SL::User; @@ -163,6 +164,15 @@ sub authenticate { return $result; } +sub store_credentials_in_session { + my ($self, %params) = @_; + + $params{password} = SL::Auth::Password->hash_if_unhashed(login => $params{login}, password => $params{password}) + unless $self->{authenticator}->requires_cleartext_password; + + $self->set_session_value(login => $params{login}, password => $params{password}); +} + sub dbconnect { $main::lxdebug->enter_sub(2); diff --git a/SL/Auth/DB.pm b/SL/Auth/DB.pm index e70112be1..66d23cd27 100644 --- a/SL/Auth/DB.pm +++ b/SL/Auth/DB.pm @@ -48,7 +48,7 @@ sub authenticate { # passwords. Hash it for easier comparison. $stored_password = SL::Auth::Password->hash(password => $stored_password) unless $stored_password; ($algorithm, $stored_password) = SL::Auth::Password->parse($stored_password); - ($algorithm2, $password) = SL::Auth::Password->parse(SL::Auth::Password->hash(password => $password, algorithm => $algorithm, login => $login)); + ($algorithm2, $password) = SL::Auth::Password->parse(SL::Auth::Password->hash_if_unhashed(password => $password, algorithm => $algorithm, login => $login)); $main::lxdebug->leave_sub(); @@ -59,6 +59,10 @@ sub can_change_password { return 1; } +sub requires_cleartext_password { + return 0; +} + sub change_password { $main::lxdebug->enter_sub(); diff --git a/SL/Auth/LDAP.pm b/SL/Auth/LDAP.pm index 70e963d47..1c8c85161 100644 --- a/SL/Auth/LDAP.pm +++ b/SL/Auth/LDAP.pm @@ -180,6 +180,10 @@ sub can_change_password { return 0; } +sub requires_cleartext_password { + return 1; +} + sub change_password { return ERR_BACKEND; } diff --git a/SL/Auth/Password.pm b/SL/Auth/Password.pm index 9b0f1aec7..5a17203c5 100644 --- a/SL/Auth/Password.pm +++ b/SL/Auth/Password.pm @@ -35,11 +35,19 @@ sub hash { } } +sub hash_if_unhashed { + my ($class, %params) = @_; + + my ($algorithm, $password) = $class->parse($params{password}, 'NONE'); + + return $algorithm eq 'NONE' ? $class->hash(%params) : $params{password}; +} + sub parse { - my ($class, $password) = @_; + my ($class, $password, $default_algorithm) = @_; return ($1, $2) if $password =~ m/^\{ ([^\}]+) \} (.+)/x; - return ('CRYPT', $password); + return ($default_algorithm || 'CRYPT', $password); } 1; diff --git a/SL/Dispatcher.pm b/SL/Dispatcher.pm index 76fcf6fb7..239cdcb96 100644 --- a/SL/Dispatcher.pm +++ b/SL/Dispatcher.pm @@ -202,7 +202,7 @@ sub handle_request { show_error('login/password_error', 'password') if SL::Auth::OK != $::auth->authenticate($::form->{login}, $::form->{password}); - $::auth->set_session_value('login', $::form->{login}, 'password', $::form->{password}); + $::auth->store_credentials_in_session(login => $::form->{login}, password => $::form->{password}); $::auth->create_or_refresh_session; $::auth->delete_session_value('FLASH'); delete $::form->{password}; diff --git a/bin/mozilla/login.pl b/bin/mozilla/login.pl index 03e6dd947..528c4eb4b 100644 --- a/bin/mozilla/login.pl +++ b/bin/mozilla/login.pl @@ -69,8 +69,9 @@ sub run { $form->{error_message} = $::locale->text('Incorrect username or password!'); login_screen(); } else { - $auth->set_session_value('login', $form->{login}, 'password', $form->{password}); + $auth->store_credentials_in_session(login => $form->{login}, password => $form->{password}); $auth->create_or_refresh_session(); + delete $form->{password}; $form->{titlebar} .= " - $::myconfig{name} - $::myconfig{dbname}"; call_sub($::locale->findsub($action)); -- 2.20.1