import reactos.org directory Added: trunk/web/reactos.org/ Added: trunk/web/reactos.org/htdocs/ Added: trunk/web/reactos.org/htdocs/bugzilla/ Added: trunk/web/reactos.org/htdocs/bugzilla/.htaccess Added: trunk/web/reactos.org/htdocs/bugzilla/1x1.gif Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/ Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.cvsignore Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.htaccess Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Attachment.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/ Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/CGI.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/Cookie.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/DB.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/LDAP.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/ROSCMS.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Bug.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/BugMail.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/CGI.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Chart.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Config.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Constants.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/DB.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Error.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Flag.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/FlagType.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/RelationSet.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Search.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Series.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Template/ Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Template/Plugin/ Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Template/Plugin/Bugzilla. pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Template/Plugin/Hook.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Template.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Token.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/User.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Util.pm Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla.pm Added: trunk/web/reactos.org/htdocs/bugzilla/CGI.pl Added: trunk/web/reactos.org/htdocs/bugzilla/QUICKSTART Added: trunk/web/reactos.org/htdocs/bugzilla/README Added: trunk/web/reactos.org/htdocs/bugzilla/UPGRADING Added: trunk/web/reactos.org/htdocs/bugzilla/UPGRADING-pre-2.8 Added: trunk/web/reactos.org/htdocs/bugzilla/ant.jpg Added: trunk/web/reactos.org/htdocs/bugzilla/attachment.cgi Added: trunk/web/reactos.org/htdocs/bugzilla/buglist.cgi Added: trunk/web/reactos.org/htdocs/bugzilla/bugzilla.dtd Added: trunk/web/reactos.org/htdocs/bugzilla/chart.cgi Added: trunk/web/reactos.org/htdocs/bugzilla/checksetup.pl Added: trunk/web/reactos.org/htdocs/bugzilla/colchange.cgi Added: trunk/web/reactos.org/htdocs/bugzilla/collectstats.pl Added: trunk/web/reactos.org/htdocs/bugzilla/config.cgi Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/ Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/BugzillaEmail.pm Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/README Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/README.Mailif Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bug_email.pl Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugmail_help.html Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla-submit/ Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla-submit/README Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla-submit/bugdata.tx t Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla-submit/bugzilla-s ubmit Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla-submit/bugzilla-s ubmit.xml Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla.procmailrc Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla_email_append.pl Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla_ldapsync.rb Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/ Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/bugcount Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/bugids Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/buglist Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/bugs Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/bugslink Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/makequery Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/query.conf Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cvs-update.pl Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/gnats2bz.pl Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/gnatsparse/ Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/gnatsparse/README Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/gnatsparse/gnatsparse.py Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/gnatsparse/magic.py Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/gnatsparse/specialuu.py Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/jb2bz.py Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/mysqld-watcher.pl Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/sendbugmail.pl Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/sendunsentbugmail.pl Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/syncLDAP.pl Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/yp_nomail.sh Added: trunk/web/reactos.org/htdocs/bugzilla/createaccount.cgi Added: trunk/web/reactos.org/htdocs/bugzilla/css/ Added: trunk/web/reactos.org/htdocs/bugzilla/css/buglist.css Added: trunk/web/reactos.org/htdocs/bugzilla/css/duplicates.css Added: trunk/web/reactos.org/htdocs/bugzilla/css/global.css Added: trunk/web/reactos.org/htdocs/bugzilla/css/panel.css Added: trunk/web/reactos.org/htdocs/bugzilla/css/show_multiple.css Added: trunk/web/reactos.org/htdocs/bugzilla/data/ Added: trunk/web/reactos.org/htdocs/bugzilla/data/.htaccess Added: trunk/web/reactos.org/htdocs/bugzilla/data/duplicates/ Added: trunk/web/reactos.org/htdocs/bugzilla/data/mail Added: trunk/web/reactos.org/htdocs/bugzilla/data/mimedump-tmp/ Added: trunk/web/reactos.org/htdocs/bugzilla/data/mining/ [truncated at 100 lines; 2844 more skipped] _____
Added: trunk/web/reactos.org/htdocs/bugzilla/.htaccess --- trunk/web/reactos.org/htdocs/bugzilla/.htaccess 2006-01-27 22:04:21 UTC (rev 3) +++ trunk/web/reactos.org/htdocs/bugzilla/.htaccess 2006-01-27 22:10:19 UTC (rev 4) @@ -0,0 +1,7 @@
+# don't allow people to retrieve non-cgi executable files or our private data +<FilesMatch ^(.*.pl|.*localconfig.*|runtests.sh)$> + deny from all +</FilesMatch> +<FilesMatch ^(localconfig.js|localconfig.rdf)$> + allow from all +</FilesMatch> _____
Added: trunk/web/reactos.org/htdocs/bugzilla/1x1.gif (Binary files differ) Property changes on: trunk/web/reactos.org/htdocs/bugzilla/1x1.gif ___________________________________________________________________ Name: svn:mime-type + application/octet-stream _____
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.cvsignore --- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.cvsignore 2006-01-27 22:04:21 UTC (rev 3) +++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.cvsignore 2006-01-27 22:10:19 UTC (rev 4) @@ -0,0 +1 @@
+.htaccess _____
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.htaccess --- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.htaccess 2006-01-27 22:04:21 UTC (rev 3) +++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.htaccess 2006-01-27 22:10:19 UTC (rev 4) @@ -0,0 +1,3 @@
+# nothing in this directory is retrievable unless overriden by an .htaccess +# in a subdirectory +deny from all _____
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Attachment.pm --- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Attachment.pm 2006-01-27 22:04:21 UTC (rev 3) +++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Attachment.pm 2006-01-27 22:10:19 UTC (rev 4) @@ -0,0 +1,108 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*- +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Bugzilla Bug Tracking System. +# +# The Initial Developer of the Original Code is Netscape Communications +# Corporation. Portions created by Netscape are +# Copyright (C) 1998 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): Terry Weissman terry@mozilla.org +# Myk Melez myk@mozilla.org + +####################################################################### ##### +# Module Initialization +####################################################################### ##### + +use strict; + +package Bugzilla::Attachment; + +# This module requires that its caller have said "require CGI.pl" to import +# relevant functions from that script and its companion globals.pl. + +# Use the Flag module to handle flags. +use Bugzilla::Flag; + +####################################################################### ##### +# Functions +####################################################################### ##### + +sub new { + # Returns a hash of information about the attachment with the given ID. + + my ($invocant, $id) = @_; + return undef if !$id; + my $self = { 'id' => $id }; + my $class = ref($invocant) || $invocant; + bless($self, $class); + + &::PushGlobalSQLState(); + &::SendSQL("SELECT 1, description, bug_id, isprivate FROM attachments " . + "WHERE attach_id = $id"); + ($self->{'exists'}, + $self->{'summary'}, + $self->{'bug_id'}, + $self->{'isprivate'}) = &::FetchSQLData(); + &::PopGlobalSQLState(); + + return $self; +} + +sub query +{ + # Retrieves and returns an array of attachment records for a given bug. + # This data should be given to attachment/list.atml in an + # "attachments" variable. + my ($bugid) = @_; + + my $in_editbugs = &::UserInGroup("editbugs"); + &::SendSQL("SELECT product_id + FROM bugs + WHERE bug_id = $bugid"); + my $productid = &::FetchOneColumn(); + my $caneditproduct = &::CanEditProductId($productid); + + # Retrieve a list of attachments for this bug and write them into an array + # of hashes in which each hash represents a single attachment. + &::SendSQL(" + SELECT attach_id, DATE_FORMAT(creation_ts, '%Y.%m.%d %H:%i'), + mimetype, description, ispatch, isobsolete, isprivate, + submitter_id, LENGTH(thedata) + FROM attachments WHERE bug_id = $bugid ORDER BY attach_id + "); + my @attachments = (); + while (&::MoreSQLData()) { + my %a; + my $submitter_id; + ($a{'attachid'}, $a{'date'}, $a{'contenttype'}, $a{'description'}, + $a{'ispatch'}, $a{'isobsolete'}, $a{'isprivate'}, $submitter_id, + $a{'datasize'}) = &::FetchSQLData(); + + # Retrieve a list of flags for this attachment. + $a{'flags'} = Bugzilla::Flag::match({ 'attach_id' => $a{'attachid'}, + 'is_active' => 1 }); + + # We will display the edit link if the user can edit the attachment; + # ie the are the submitter, or they have canedit. + # Also show the link if the user is not logged in - in that cae, + # They'll be prompted later + $a{'canedit'} = ($::userid == 0 || (($submitter_id == $::userid || + $in_editbugs) && $caneditproduct)); + push @attachments, %a; + } + + return @attachments; +} + +1; _____
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/CGI.pm --- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/CGI.pm 2006-01-27 22:04:21 UTC (rev 3) +++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/CGI.pm 2006-01-27 22:10:19 UTC (rev 4) @@ -0,0 +1,247 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*- +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Bugzilla Bug Tracking System. +# +# The Initial Developer of the Original Code is Netscape Communications +# Corporation. Portions created by Netscape are +# Copyright (C) 1998 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): Terry Weissman terry@mozilla.org +# Dan Mosedale dmose@mozilla.org +# Joe Robins jmrobins@tgix.com +# Dave Miller justdave@syndicomm.com +# Christopher Aillon christopher@aillon.com +# Gervase Markham gerv@gerv.net +# Christian Reis kiko@async.com.br +# Bradley Baetz bbaetz@acm.org + +package Bugzilla::Auth::CGI; + +use strict; + +use Bugzilla::Config; +use Bugzilla::Constants; +use Bugzilla::Error; +use Bugzilla::Util; + +sub login { + my ($class, $type) = @_; + + # 'NORMAL' logins depend on the 'requirelogin' param + if ($type == LOGIN_NORMAL) { + $type = Param('requirelogin') ? LOGIN_REQUIRED : LOGIN_OPTIONAL; + } + + my $cgi = Bugzilla->cgi; + + # First, try the actual login method against form variables + my $username = $cgi->param("Bugzilla_login"); + my $passwd = $cgi->param("Bugzilla_password"); + + $cgi->delete('Bugzilla_login', 'Bugzilla_password'); + + my $authmethod = Param("loginmethod"); + my ($authres, $userid, $extra, $info) = + Bugzilla::Auth->authenticate($username, $passwd); + + if ($authres == AUTH_OK) { + # Login via username/password was correct and valid, so create + # and send out the login cookies + my $ipaddr = $cgi->remote_addr; + unless ($cgi->param('Bugzilla_restrictlogin') || + Param('loginnetmask') == 32) { + $ipaddr = Bugzilla::Auth::get_netaddr($ipaddr); + } + + # The IP address is valid, at least for comparing with itself in a + # subsequent login + trick_taint($ipaddr); + + my $dbh = Bugzilla->dbh; + $dbh->do("INSERT INTO logincookies (userid, ipaddr) VALUES (?, ?)", + undef, + $userid, $ipaddr); + my $logincookie = $dbh->selectrow_array("SELECT LAST_INSERT_ID()"); + + # Remember cookie only if admin has told so + # or admin didn't forbid it and user told to remember. + if ((Param('rememberlogin') eq 'on') || + ((Param('rememberlogin') ne 'off') && + ($cgi->param('Bugzilla_remember') eq 'on'))) { + $cgi->send_cookie(-name => 'Bugzilla_login', + -value => $userid, + -expires => 'Fri, 01-Jan-2038 00:00:00 GMT'); + $cgi->send_cookie(-name => 'Bugzilla_logincookie', + -value => $logincookie, + -expires => 'Fri, 01-Jan-2038 00:00:00 GMT'); + + } + else { + $cgi->send_cookie(-name => 'Bugzilla_login', + -value => $userid); + $cgi->send_cookie(-name => 'Bugzilla_logincookie', + -value => $logincookie); + + } + } + elsif ($authres == AUTH_NODATA) { + # No data from the form, so try to login via cookies + $username = $cgi->cookie("Bugzilla_login"); + $passwd = $cgi->cookie("Bugzilla_logincookie"); + + require Bugzilla::Auth::Cookie; + my $authmethod = "Cookie"; + + ($authres, $userid, $extra) = + Bugzilla::Auth::Cookie->authenticate($username, $passwd); + + # If the data for the cookie was incorrect, then treat that as + # NODATA. This could occur if the user's IP changed, for example. + # Give them un-loggedin access if allowed (checked below) + $authres = AUTH_NODATA if $authres == AUTH_LOGINFAILED; + } + + # Now check the result + + # An error may have occurred with the login mechanism + if ($authres == AUTH_ERROR) { + ThrowCodeError("auth_err", + { authmethod => lc($authmethod), + userid => $userid, + auth_err_tag => $extra, + info => $info + }); + } + + # We can load the page if the login was ok, or there was no data + # but a login wasn't required + if ($authres == AUTH_OK || + ($authres == AUTH_NODATA && $type == LOGIN_OPTIONAL)) { + + # login succeded, so we're done + return $userid; + } + + # No login details were given, but we require a login if the + # page does + if ($authres == AUTH_NODATA && $type == LOGIN_REQUIRED) { + # Throw up the login page + + print Bugzilla->cgi->header(); + + my $template = Bugzilla->template; + $template->process("account/auth/login.html.tmpl", + { 'target' => $cgi->url(-relative=>1), + 'form' => %::FORM, + 'mform' => %::MFORM, + 'caneditaccount' => Bugzilla::Auth->can_edit, + } + ) + || ThrowTemplateError($template->error()); + + # This seems like as good as time as any to get rid of old + # crufty junk in the logincookies table. Get rid of any entry + # that hasn't been used in a month. + Bugzilla->dbh->do("DELETE FROM logincookies " . + "WHERE TO_DAYS(NOW()) - TO_DAYS(lastused) > 30"); + + exit; + } + + # The username/password may be wrong + # Don't let the user know whether the username exists or whether + # the password was just wrong. (This makes it harder for a cracker + # to find account names by brute force) + if ($authres == AUTH_LOGINFAILED) { + ThrowUserError("invalid_username_or_password"); + } + + # The account may be disabled + if ($authres == AUTH_DISABLED) { + clear_browser_cookies(); + # and throw a user error + ThrowUserError("account_disabled", + {'disabled_reason' => $extra}); + } + + # If we get here, then we've run out of options, which shouldn't happen + ThrowCodeError("authres_unhandled", { authres => $authres, + type => $type, }); +} + +# Logs user out, according to the option provided; this consists of +# removing entries from logincookies for the specified $user. +sub logout { + my ($class, $user, $option) = @_; + my $dbh = Bugzilla->dbh; + $option = LOGOUT_ALL unless defined $option; + + if ($option == LOGOUT_ALL) { + $dbh->do("DELETE FROM logincookies WHERE userid = ?", + undef, $user->id); + return; + } + + # The LOGOUT_*_CURRENT options require a cookie + my $cookie = Bugzilla->cgi->cookie("Bugzilla_logincookie"); + detaint_natural($cookie); + + # These queries use both the cookie ID and the user ID as keys. Even + # though we know the userid must match, we still check it in the SQL + # as a sanity check, since there is no locking here, and if the user + # logged out from two machines simultaneously, while someone else + # logged in and got the same cookie, we could be logging the other + # user out here. Yes, this is very very very unlikely, but why take + # chances? - bbaetz + if ($option == LOGOUT_KEEP_CURRENT) { + $dbh->do("DELETE FROM logincookies WHERE cookie != ? AND userid = ?", + undef, $cookie, $user->id); + } elsif ($option == LOGOUT_CURRENT) { + $dbh->do("DELETE FROM logincookies WHERE cookie = ? AND userid = ?", + undef, $cookie, $user->id); + } else { + die("Invalid option $option supplied to logout()"); + } +} + +sub clear_browser_cookies { + my $cgi = Bugzilla->cgi; + $cgi->remove_cookie('Bugzilla_login'); + $cgi->remove_cookie('Bugzilla_logincookie'); +} + +1; + +__END__ + +=head1 NAME + +Bugzilla::Auth::CGI - CGI-based logins for Bugzilla + +=head1 SUMMARY + +This is a L<login module|Bugzilla::Auth/"LOGIN"> for Bugzilla. Users connecting +from a CGI script use this module to authenticate. Logouts are also handled here. + +=head1 BEHAVIOUR + +Users are first authenticated against the default authentication handler, +using the CGI parameters I<Bugzilla_login> and I<Bugzilla_password>. + +If no data is present for that, then cookies are tried, using +LBugzilla::Auth::Cookie. + +=head1 SEE ALSO + +LBugzilla::Auth _____
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/Cookie.pm --- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/Cookie.pm 2006-01-27 22:04:21 UTC (rev 3) +++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/Cookie.pm 2006-01-27 22:10:19 UTC (rev 4) @@ -0,0 +1,113 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*- +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Bugzilla Bug Tracking System. +# +# The Initial Developer of the Original Code is Netscape Communications +# Corporation. Portions created by Netscape are +# Copyright (C) 1998 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): Terry Weissman terry@mozilla.org +# Dan Mosedale dmose@mozilla.org +# Joe Robins jmrobins@tgix.com +# Dave Miller justdave@syndicomm.com +# Christopher Aillon christopher@aillon.com +# Gervase Markham gerv@gerv.net +# Christian Reis kiko@async.com.br +# Bradley Baetz bbaetz@acm.org + +package Bugzilla::Auth::Cookie; + +use strict; + +use Bugzilla::Auth; +use Bugzilla::Config; +use Bugzilla::Constants; +use Bugzilla::Util; + +sub authenticate { + my ($class, $login, $login_cookie) = @_; + + return (AUTH_NODATA) unless defined $login && defined $login_cookie; + + my $cgi = Bugzilla->cgi; + + my $ipaddr = $cgi->remote_addr(); + my $netaddr = Bugzilla::Auth::get_netaddr($ipaddr); + + # Anything goes for these params - they're just strings which + # we're going to verify against the db + trick_taint($login); + trick_taint($login_cookie); + trick_taint($ipaddr); + + my $query = "SELECT profiles.userid, profiles.disabledtext " . + "FROM logincookies, profiles " . + "WHERE logincookies.cookie=? AND " . + " logincookies.userid=profiles.userid AND " . + " logincookies.userid=? AND " . + " (logincookies.ipaddr=?"; + my @params = ($login_cookie, $login, $ipaddr); + if (defined $netaddr) { + trick_taint($netaddr); + $query .= " OR logincookies.ipaddr=?"; + push(@params, $netaddr); + } + $query .= ")"; + + my $dbh = Bugzilla->dbh; + my ($userid, $disabledtext) = $dbh->selectrow_array($query, undef, @params); + + return (AUTH_DISABLED, $userid, $disabledtext) + if ($disabledtext); + + if ($userid) { + # If we logged in successfully, then update the lastused time on the + # login cookie + $dbh->do("UPDATE logincookies SET lastused=NULL WHERE cookie=?", + undef, + $login_cookie); + + return (AUTH_OK, $userid); + } + + # If we get here, then the login failed. + return (AUTH_LOGINFAILED); +} + +1; + +__END__ + +=head1 NAME + +Bugzilla::Cookie - cookie authentication for Bugzilla + +=head1 SUMMARY + +This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for +Bugzilla, which logs the user in using a persistent cookie stored in the +C<logincookies> table. + +The actual password is not stored in the cookie; only the userid and a +I<logincookie> (which is used to reverify the login without requiring the +password to be sent over the network) are. These I<logincookies> are +restricted to certain IP addresses as a security meaure. The exact +restriction can be specified by the admin via the C<loginnetmask> parameter. + +This module does not ever send a cookie (It has no way of knowing when a user +is successfully logged in). Instead LBugzilla::Auth::CGI handles this. + +=head1 SEE ALSO + +LBugzilla::Auth, LBugzilla::Auth::CGI _____
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/DB.pm --- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/DB.pm 2006-01-27 22:04:21 UTC (rev 3) +++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/DB.pm 2006-01-27 22:10:19 UTC (rev 4) @@ -0,0 +1,124 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*- +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Bugzilla Bug Tracking System. +# +# The Initial Developer of the Original Code is Netscape Communications +# Corporation. Portions created by Netscape are +# Copyright (C) 1998 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): Terry Weissman terry@mozilla.org +# Dan Mosedale dmose@mozilla.org +# Joe Robins jmrobins@tgix.com +# Dave Miller justdave@syndicomm.com +# Christopher Aillon christopher@aillon.com +# Gervase Markham gerv@gerv.net +# Christian Reis kiko@async.com.br +# Bradley Baetz bbaetz@acm.org + +package Bugzilla::Auth::DB; + +use strict; + +use Bugzilla::Config; +use Bugzilla::Constants; +use Bugzilla::Util; + +sub authenticate { + my ($class, $username, $passwd) = @_; + + return (AUTH_NODATA) unless defined $username && defined $passwd; + + # We're just testing against the db: any value is ok + trick_taint($username); + + my $userid = $class->get_id_from_username($username); + return (AUTH_LOGINFAILED) unless defined $userid; + + return (AUTH_LOGINFAILED, $userid) + unless $class->check_password($userid, $passwd); + + # The user's credentials are okay, so delete any outstanding + # password tokens they may have generated. + require Bugzilla::Token; + Bugzilla::Token::DeletePasswordTokens($userid, "user_logged_in"); + + # Account may have been disabled + my $disabledtext = $class->get_disabled($userid); + return (AUTH_DISABLED, $userid, $disabledtext) + if $disabledtext ne ''; + + return (AUTH_OK, $userid); +} + +sub can_edit { return 1; } + +sub get_id_from_username { + my ($class, $username) = @_; + my $dbh = Bugzilla->dbh; + my $sth = $dbh->prepare_cached("SELECT userid FROM profiles " . + "WHERE login_name=?"); + my ($userid) = $dbh->selectrow_array($sth, undef, $username); + return $userid; +} + +sub get_disabled { + my ($class, $userid) = @_; + my $dbh = Bugzilla->dbh; + my $sth = $dbh->prepare_cached("SELECT disabledtext FROM profiles " . + "WHERE userid=?"); + my ($text) = $dbh->selectrow_array($sth, undef, $userid); + return $text; +} + +sub check_password { + my ($class, $userid, $passwd) = @_; + my $dbh = Bugzilla->dbh; + my $sth = $dbh->prepare_cached("SELECT cryptpassword FROM profiles " . + "WHERE userid=?"); + my ($realcryptpwd) = $dbh->selectrow_array($sth, undef, $userid); + + # Get the salt from the user's crypted password. + my $salt = $realcryptpwd; + + # Using the salt, crypt the password the user entered. + my $enteredCryptedPassword = crypt($passwd, $salt); + + return $enteredCryptedPassword eq $realcryptpwd; +} + +sub change_password { + my ($class, $userid, $password) = @_; + my $dbh = Bugzilla->dbh; + my $cryptpassword = Crypt($password); + $dbh->do("UPDATE profiles SET cryptpassword = ? WHERE userid = ?", + undef, $cryptpassword, $userid); +} + +1; + +__END__ + +=head1 NAME + +Bugzilla::Auth::DB - database authentication for Bugzilla + +=head1 SUMMARY + +This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for +Bugzilla, which logs the user in using the password stored in the C<profiles> +table. This is the most commonly used authentication module. + +=head1 SEE ALSO + +LBugzilla::Auth _____
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/LDAP.pm --- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/LDAP.pm 2006-01-27 22:04:21 UTC (rev 3) +++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/LDAP.pm 2006-01-27 22:10:19 UTC (rev 4) @@ -0,0 +1,185 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*- +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Bugzilla Bug Tracking System. +# +# The Initial Developer of the Original Code is Netscape Communications +# Corporation. Portions created by Netscape are +# Copyright (C) 1998 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): Terry Weissman terry@mozilla.org +# Dan Mosedale dmose@mozilla.org +# Joe Robins jmrobins@tgix.com +# Dave Miller justdave@syndicomm.com +# Christopher Aillon christopher@aillon.com +# Gervase Markham gerv@gerv.net +# Christian Reis kiko@async.com.br +# Bradley Baetz bbaetz@acm.org + +package Bugzilla::Auth::LDAP; + +use strict; + +use Bugzilla::Config; +use Bugzilla::Constants; + +use Net::LDAP; + +sub authenticate { + my ($class, $username, $passwd) = @_; + + # If no password was provided, then fail the authentication. + # While it may be valid to not have an LDAP password, when you + # bind without a password (regardless of the binddn value), you + # will get an anonymous bind. I do not know of a way to determine + # whether a bind is anonymous or not without making changes to the + # LDAP access control settings + return (AUTH_NODATA) unless $username && $passwd; + + # We need to bind anonymously to the LDAP server. This is + # because we need to get the Distinguished Name of the user trying + # to log in. Some servers (such as iPlanet) allow you to have unique + # uids spread out over a subtree of an area (such as "People"), so + # just appending the Base DN to the uid isn't sufficient to get the + # user's DN. For servers which don't work this way, there will still + # be no harm done. + my $LDAPserver = Param("LDAPserver"); + if ($LDAPserver eq "") { + return (AUTH_ERROR, undef, "server_not_defined"); + } + + my $LDAPport = "389"; # default LDAP port + if($LDAPserver =~ /:/) { + ($LDAPserver, $LDAPport) = split(":",$LDAPserver); + } + my $LDAPconn = Net::LDAP->new($LDAPserver, port => $LDAPport, version => 3); + if(!$LDAPconn) { + return (AUTH_ERROR, undef, "connect_failed"); + } + + my $mesg; + if (Param("LDAPbinddn")) { + my ($LDAPbinddn,$LDAPbindpass) = split(":",Param("LDAPbinddn")); + $mesg = $LDAPconn->bind($LDAPbinddn, password => $LDAPbindpass); + } + else { + $mesg = $LDAPconn->bind(); + } + if($mesg->code) { + return (AUTH_ERROR, undef, + "connect_failed", + { errstr => $mesg->error }); + } + + # We've got our anonymous bind; let's look up this user. + $mesg = $LDAPconn->search( base => Param("LDAPBaseDN"), + scope => "sub", + filter => '(&(' . Param("LDAPuidattribute") . "=$username)" . Param("LDAPfilter") . ')', + attrs => ['dn'], + ); + return (AUTH_LOGINFAILED, undef, "lookup_failure") + unless $mesg->count; + + # Now we get the DN from this search. + my $userDN = $mesg->shift_entry->dn; + + # Now we attempt to bind as the specified user. + $mesg = $LDAPconn->bind( $userDN, password => $passwd); + + return (AUTH_LOGINFAILED) if $mesg->code; + + # And now we're going to repeat the search, so that we can get the + # mail attribute for this user. + $mesg = $LDAPconn->search( base => Param("LDAPBaseDN"), + scope => "sub", + filter => '(&(' . Param("LDAPuidattribute") . "=$username)" . Param("LDAPfilter") . ')', + ); + my $user_entry = $mesg->shift_entry if !$mesg->code && $mesg->count; + if(!$user_entry || !$user_entry->exists(Param("LDAPmailattribute"))) { + return (AUTH_ERROR, undef, + "cannot_retreive_attr", + { attr => Param("LDAPmailattribute") }); + } + + # get the mail attribute + $username = $user_entry->get_value(Param("LDAPmailattribute")); + # OK, so now we know that the user is valid. Lets try finding them in the + # Bugzilla database + + # XXX - should this part be made more generic, and placed in + # Bugzilla::Auth? Lots of login mechanisms may have to do this, although + # until we actually get some more, its hard to know - BB + + my $dbh = Bugzilla->dbh; + my $sth = $dbh->prepare_cached("SELECT userid, disabledtext " . + "FROM profiles " . + "WHERE login_name=?"); + my ($userid, $disabledtext) = + $dbh->selectrow_array($sth, + undef, + $username); + + # If the user doesn't exist, then they need to be added + unless ($userid) { + # We'll want the user's name for this. + my $userRealName = $user_entry->get_value("displayName"); + if($userRealName eq "") { + $userRealName = $user_entry->get_value("cn"); + } + &::InsertNewUser($username, $userRealName); + + ($userid, $disabledtext) = $dbh->selectrow_array($sth, + undef, + $username); + return (AUTH_ERROR, $userid, "no_userid") + unless $userid; + } + + # we're done, so disconnect + $LDAPconn->unbind; + + # Test for disabled account + return (AUTH_DISABLED, $userid, $disabledtext) + if $disabledtext ne ''; + + # If we get to here, then the user is allowed to login, so we're done! + return (AUTH_OK, $userid); +} + +sub can_edit { return 0; } + +1; + +__END__ + +=head1 NAME + +Bugzilla::Auth::LDAP - LDAP based authentication for Bugzilla + +This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for +Bugzilla, which logs the user in using an LDAP directory. + +=head1 DISCLAIMER + +B<This module is experimental>. It is poorly documented, and not very flexible. +Search Lhttp://bugzilla.mozilla.org/ for a list of known LDAP bugs. + +None of the core Bugzilla developers, nor any of the large installations, use +this module, and so it has received less testing. (In fact, this iteration +hasn't been tested at all) + +Patches are accepted. + +=head1 SEE ALSO + +LBugzilla::Auth _____
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/ROSCMS.pm --- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/ROSCMS.pm 2006-01-27 22:04:21 UTC (rev 3) +++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/ROSCMS.pm 2006-01-27 22:10:19 UTC (rev 4) @@ -0,0 +1,215 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*- +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Bugzilla Bug Tracking System. +# +# The Initial Developer of the Original Code is Netscape Communications +# Corporation. Portions created by Netscape are +# Copyright (C) 1998 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): Terry Weissman terry@mozilla.org +# Dan Mosedale dmose@mozilla.org +# Joe Robins jmrobins@tgix.com +# Dave Miller justdave@syndicomm.com +# Christopher Aillon christopher@aillon.com +# Gervase Markham gerv@gerv.net +# Christian Reis kiko@async.com.br +# Bradley Baetz bbaetz@acm.org + +package Bugzilla::Auth::ROSCMS; + +use strict; + +use URI; +use URI::Escape; + +use Bugzilla::Config; +use Bugzilla::Constants; +use Bugzilla::Error; +use Bugzilla::Util; + +my $session_cookie_name = "roscmsusrkey"; +my $roscms_db_name = "roscms"; +my $roscms_login_page = "/roscms/?page=login&target="; + +sub authenticate { + my ($class, $username, $passwd) = @_; + + return (AUTH_NODATA) unless defined $username && defined $passwd; + + # We're just testing against the db: any value is ok + trick_taint($username); + + my $userid = $class->get_id_from_username($username); + return (AUTH_LOGINFAILED) unless defined $userid; + + return (AUTH_LOGINFAILED, $userid) + unless $class->check_password($userid, $passwd); + + # The user's credentials are okay, so delete any outstanding + # password tokens they may have generated. + require Bugzilla::Token; + Bugzilla::Token::DeletePasswordTokens($userid, "user_logged_in"); + + # Account may have been disabled + my $disabledtext = $class->get_disabled($userid); + return (AUTH_DISABLED, $userid, $disabledtext) + if $disabledtext ne ''; + + return (AUTH_OK, $userid); +} + +sub can_edit { return 1; } + +sub get_id_from_username { + my ($class, $username) = @_; + my $dbh = Bugzilla->dbh; + my $sth = $dbh->prepare_cached("SELECT userid FROM profiles " . + "WHERE login_name=?"); + my ($userid) = $dbh->selectrow_array($sth, undef, $username); + return $userid; +} + +sub get_disabled { + my ($class, $userid) = @_; + my $dbh = Bugzilla->dbh; + my $sth = $dbh->prepare_cached("SELECT disabledtext FROM profiles " . + "WHERE userid=?"); + my ($text) = $dbh->selectrow_array($sth, undef, $userid); + return $text; +} + +sub check_password { + my ($class, $userid, $passwd) = @_; + my $dbh = Bugzilla->dbh; + my $sth = $dbh->prepare_cached("SELECT cryptpassword FROM profiles " . + "WHERE userid=?"); + my ($realcryptpwd) = $dbh->selectrow_array($sth, undef, $userid); + + # Get the salt from the user's crypted password. + my $salt = $realcryptpwd; + + # Using the salt, crypt the password the user entered. + my $enteredCryptedPassword = crypt($passwd, $salt); + + return $enteredCryptedPassword eq $realcryptpwd; +} + +sub change_password { + my ($class, $userid, $password) = @_; + my $dbh = Bugzilla->dbh; + my $cryptpassword = Crypt($password); + $dbh->do("UPDATE profiles SET cryptpassword = ? WHERE userid = ?", + undef, $cryptpassword, $userid); +} + +sub login { + my ($class, $type) = @_; + + # 'NORMAL' logins depend on the 'requirelogin' param + if ($type == LOGIN_NORMAL) { + $type = Param('requirelogin') ? LOGIN_REQUIRED : LOGIN_OPTIONAL; + } + + my $cgi = Bugzilla->cgi; + + my $authres; + my $userid; + my $session_id = $cgi->cookie($session_cookie_name); + if (! defined($session_id)) { + $authres = AUTH_NODATA; + } else { + my $session_id_clean = $session_id; + trick_taint($session_id_clean); + my $remote_addr_clean; + if ($ENV{'REMOTE_ADDR'} =~ m/^(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})/) { + $remote_addr_clean = $1; + } else { + $remote_addr_clean = 'invalid'; + } + my $browser_agent_clean = $ENV{'HTTP_USER_AGENT'}; + trick_taint($browser_agent_clean); + my $query = "SELECT m.map_subsys_userid " . + " FROM $roscms_db_name.user_sessions s, " . + " $roscms_db_name.users u, " . + " $roscms_db_name.subsys_mappings m " . + " WHERE s.usersession_id = ? " . + " AND (s.usersession_expires IS NULL OR " . + " NOW() <= s.usersession_expires) " . + " AND u.user_id = s.usersession_user_id " . + " AND (u.user_setting_ipaddress = 'false' OR " . + " s.usersession_ipaddress = ?) " . + " AND (u.user_setting_browseragent = 'false' OR " . + " s.usersession_browseragent = ?) " . + " AND m.map_roscms_userid = s.usersession_user_id " . + " AND m.map_subsys_name = 'bugzilla'"; + my @params = ($session_id_clean, $remote_addr_clean, + $browser_agent_clean); + my $dbh = Bugzilla->dbh; + ($userid) = $dbh->selectrow_array($query, undef, @params); + if ($userid) { [truncated at 1000 lines; 543895 more skipped]