Added: trunk/web/reactos.org/
Added: trunk/web/reactos.org/htdocs/
Added: trunk/web/reactos.org/htdocs/bugzilla/
Added: trunk/web/reactos.org/htdocs/bugzilla/.htaccess
Added: trunk/web/reactos.org/htdocs/bugzilla/1x1.gif
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.cvsignore
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.htaccess
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Attachment.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/CGI.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/Cookie.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/DB.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/LDAP.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/ROSCMS.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Bug.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/BugMail.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/CGI.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Chart.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Config.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Constants.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/DB.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Error.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Flag.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/FlagType.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/RelationSet.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Search.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Series.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Template/
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Template/Plugin/
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Template/Plugin/Bugzilla.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Template/Plugin/Hook.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Template.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Token.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/User.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Util.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/Bugzilla.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/CGI.pl
Added: trunk/web/reactos.org/htdocs/bugzilla/QUICKSTART
Added: trunk/web/reactos.org/htdocs/bugzilla/README
Added: trunk/web/reactos.org/htdocs/bugzilla/UPGRADING
Added: trunk/web/reactos.org/htdocs/bugzilla/UPGRADING-pre-2.8
Added: trunk/web/reactos.org/htdocs/bugzilla/ant.jpg
Added: trunk/web/reactos.org/htdocs/bugzilla/attachment.cgi
Added: trunk/web/reactos.org/htdocs/bugzilla/buglist.cgi
Added: trunk/web/reactos.org/htdocs/bugzilla/bugzilla.dtd
Added: trunk/web/reactos.org/htdocs/bugzilla/chart.cgi
Added: trunk/web/reactos.org/htdocs/bugzilla/checksetup.pl
Added: trunk/web/reactos.org/htdocs/bugzilla/colchange.cgi
Added: trunk/web/reactos.org/htdocs/bugzilla/collectstats.pl
Added: trunk/web/reactos.org/htdocs/bugzilla/config.cgi
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/BugzillaEmail.pm
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/README
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/README.Mailif
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bug_email.pl
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugmail_help.html
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla-submit/
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla-submit/README
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla-submit/bugdata.txt
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla-submit/bugzilla-submit
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla-submit/bugzilla-submit.xml
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla.procmailrc
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla_email_append.pl
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/bugzilla_ldapsync.rb
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/bugcount
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/bugids
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/buglist
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/bugs
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/bugslink
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/makequery
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cmdline/query.conf
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/cvs-update.pl
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/gnats2bz.pl
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/gnatsparse/
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/gnatsparse/README
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/gnatsparse/gnatsparse.py
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/gnatsparse/magic.py
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/gnatsparse/specialuu.py
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/jb2bz.py
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/mysqld-watcher.pl
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/sendbugmail.pl
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/sendunsentbugmail.pl
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/syncLDAP.pl
Added: trunk/web/reactos.org/htdocs/bugzilla/contrib/yp_nomail.sh
Added: trunk/web/reactos.org/htdocs/bugzilla/createaccount.cgi
Added: trunk/web/reactos.org/htdocs/bugzilla/css/
Added: trunk/web/reactos.org/htdocs/bugzilla/css/buglist.css
Added: trunk/web/reactos.org/htdocs/bugzilla/css/duplicates.css
Added: trunk/web/reactos.org/htdocs/bugzilla/css/global.css
Added: trunk/web/reactos.org/htdocs/bugzilla/css/panel.css
Added: trunk/web/reactos.org/htdocs/bugzilla/css/show_multiple.css
Added: trunk/web/reactos.org/htdocs/bugzilla/data/
Added: trunk/web/reactos.org/htdocs/bugzilla/data/.htaccess
Added: trunk/web/reactos.org/htdocs/bugzilla/data/duplicates/
Added: trunk/web/reactos.org/htdocs/bugzilla/data/mail
Added: trunk/web/reactos.org/htdocs/bugzilla/data/mimedump-tmp/
Added: trunk/web/reactos.org/htdocs/bugzilla/data/mining/
[truncated at 100 lines; 2844 more skipped]
--- trunk/web/reactos.org/htdocs/bugzilla/.htaccess 2006-01-27 22:04:21 UTC (rev 3)
+++ trunk/web/reactos.org/htdocs/bugzilla/.htaccess 2006-01-27 22:10:19 UTC (rev 4)
@@ -0,0 +1,7 @@
+# don't allow people to retrieve non-cgi executable files or our private data
+<FilesMatch ^(.*\.pl|.*localconfig.*|runtests.sh)$>
+ deny from all
+</FilesMatch>
+<FilesMatch ^(localconfig.js|localconfig.rdf)$>
+ allow from all
+</FilesMatch>
(Binary files differ)
Property changes on: trunk/web/reactos.org/htdocs/bugzilla/1x1.gif
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
--- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.cvsignore 2006-01-27 22:04:21 UTC (rev 3)
+++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.cvsignore 2006-01-27 22:10:19 UTC (rev 4)
@@ -0,0 +1 @@
+.htaccess
--- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.htaccess 2006-01-27 22:04:21 UTC (rev 3)
+++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/.htaccess 2006-01-27 22:10:19 UTC (rev 4)
@@ -0,0 +1,3 @@
+# nothing in this directory is retrievable unless overriden by an .htaccess
+# in a subdirectory
+deny from all
--- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Attachment.pm 2006-01-27 22:04:21 UTC (rev 3)
+++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Attachment.pm 2006-01-27 22:10:19 UTC (rev 4)
@@ -0,0 +1,108 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Terry Weissman <terry@mozilla.org>
+# Myk Melez <myk@mozilla.org>
+
+############################################################################
+# Module Initialization
+############################################################################
+
+use strict;
+
+package Bugzilla::Attachment;
+
+# This module requires that its caller have said "require CGI.pl" to import
+# relevant functions from that script and its companion globals.pl.
+
+# Use the Flag module to handle flags.
+use Bugzilla::Flag;
+
+############################################################################
+# Functions
+############################################################################
+
+sub new {
+ # Returns a hash of information about the attachment with the given ID.
+
+ my ($invocant, $id) = @_;
+ return undef if !$id;
+ my $self = { 'id' => $id };
+ my $class = ref($invocant) || $invocant;
+ bless($self, $class);
+
+ &::PushGlobalSQLState();
+ &::SendSQL("SELECT 1, description, bug_id, isprivate FROM attachments " .
+ "WHERE attach_id = $id");
+ ($self->{'exists'},
+ $self->{'summary'},
+ $self->{'bug_id'},
+ $self->{'isprivate'}) = &::FetchSQLData();
+ &::PopGlobalSQLState();
+
+ return $self;
+}
+
+sub query
+{
+ # Retrieves and returns an array of attachment records for a given bug.
+ # This data should be given to attachment/list.atml in an
+ # "attachments" variable.
+ my ($bugid) = @_;
+
+ my $in_editbugs = &::UserInGroup("editbugs");
+ &::SendSQL("SELECT product_id
+ FROM bugs
+ WHERE bug_id = $bugid");
+ my $productid = &::FetchOneColumn();
+ my $caneditproduct = &::CanEditProductId($productid);
+
+ # Retrieve a list of attachments for this bug and write them into an array
+ # of hashes in which each hash represents a single attachment.
+ &::SendSQL("
+ SELECT attach_id, DATE_FORMAT(creation_ts, '%Y.%m.%d %H:%i'),
+ mimetype, description, ispatch, isobsolete, isprivate,
+ submitter_id, LENGTH(thedata)
+ FROM attachments WHERE bug_id = $bugid ORDER BY attach_id
+ ");
+ my @attachments = ();
+ while (&::MoreSQLData()) {
+ my %a;
+ my $submitter_id;
+ ($a{'attachid'}, $a{'date'}, $a{'contenttype'}, $a{'description'},
+ $a{'ispatch'}, $a{'isobsolete'}, $a{'isprivate'}, $submitter_id,
+ $a{'datasize'}) = &::FetchSQLData();
+
+ # Retrieve a list of flags for this attachment.
+ $a{'flags'} = Bugzilla::Flag::match({ 'attach_id' => $a{'attachid'},
+ 'is_active' => 1 });
+
+ # We will display the edit link if the user can edit the attachment;
+ # ie the are the submitter, or they have canedit.
+ # Also show the link if the user is not logged in - in that cae,
+ # They'll be prompted later
+ $a{'canedit'} = ($::userid == 0 || (($submitter_id == $::userid ||
+ $in_editbugs) && $caneditproduct));
+ push @attachments, \%a;
+ }
+
+ return \@attachments;
+}
+
+1;
--- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/CGI.pm 2006-01-27 22:04:21 UTC (rev 3)
+++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/CGI.pm 2006-01-27 22:10:19 UTC (rev 4)
@@ -0,0 +1,247 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Terry Weissman <terry@mozilla.org>
+# Dan Mosedale <dmose@mozilla.org>
+# Joe Robins <jmrobins@tgix.com>
+# Dave Miller <justdave@syndicomm.com>
+# Christopher Aillon <christopher@aillon.com>
+# Gervase Markham <gerv@gerv.net>
+# Christian Reis <kiko@async.com.br>
+# Bradley Baetz <bbaetz@acm.org>
+
+package Bugzilla::Auth::CGI;
+
+use strict;
+
+use Bugzilla::Config;
+use Bugzilla::Constants;
+use Bugzilla::Error;
+use Bugzilla::Util;
+
+sub login {
+ my ($class, $type) = @_;
+
+ # 'NORMAL' logins depend on the 'requirelogin' param
+ if ($type == LOGIN_NORMAL) {
+ $type = Param('requirelogin') ? LOGIN_REQUIRED : LOGIN_OPTIONAL;
+ }
+
+ my $cgi = Bugzilla->cgi;
+
+ # First, try the actual login method against form variables
+ my $username = $cgi->param("Bugzilla_login");
+ my $passwd = $cgi->param("Bugzilla_password");
+
+ $cgi->delete('Bugzilla_login', 'Bugzilla_password');
+
+ my $authmethod = Param("loginmethod");
+ my ($authres, $userid, $extra, $info) =
+ Bugzilla::Auth->authenticate($username, $passwd);
+
+ if ($authres == AUTH_OK) {
+ # Login via username/password was correct and valid, so create
+ # and send out the login cookies
+ my $ipaddr = $cgi->remote_addr;
+ unless ($cgi->param('Bugzilla_restrictlogin') ||
+ Param('loginnetmask') == 32) {
+ $ipaddr = Bugzilla::Auth::get_netaddr($ipaddr);
+ }
+
+ # The IP address is valid, at least for comparing with itself in a
+ # subsequent login
+ trick_taint($ipaddr);
+
+ my $dbh = Bugzilla->dbh;
+ $dbh->do("INSERT INTO logincookies (userid, ipaddr) VALUES (?, ?)",
+ undef,
+ $userid, $ipaddr);
+ my $logincookie = $dbh->selectrow_array("SELECT LAST_INSERT_ID()");
+
+ # Remember cookie only if admin has told so
+ # or admin didn't forbid it and user told to remember.
+ if ((Param('rememberlogin') eq 'on') ||
+ ((Param('rememberlogin') ne 'off') &&
+ ($cgi->param('Bugzilla_remember') eq 'on'))) {
+ $cgi->send_cookie(-name => 'Bugzilla_login',
+ -value => $userid,
+ -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
+ $cgi->send_cookie(-name => 'Bugzilla_logincookie',
+ -value => $logincookie,
+ -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
+
+ }
+ else {
+ $cgi->send_cookie(-name => 'Bugzilla_login',
+ -value => $userid);
+ $cgi->send_cookie(-name => 'Bugzilla_logincookie',
+ -value => $logincookie);
+
+ }
+ }
+ elsif ($authres == AUTH_NODATA) {
+ # No data from the form, so try to login via cookies
+ $username = $cgi->cookie("Bugzilla_login");
+ $passwd = $cgi->cookie("Bugzilla_logincookie");
+
+ require Bugzilla::Auth::Cookie;
+ my $authmethod = "Cookie";
+
+ ($authres, $userid, $extra) =
+ Bugzilla::Auth::Cookie->authenticate($username, $passwd);
+
+ # If the data for the cookie was incorrect, then treat that as
+ # NODATA. This could occur if the user's IP changed, for example.
+ # Give them un-loggedin access if allowed (checked below)
+ $authres = AUTH_NODATA if $authres == AUTH_LOGINFAILED;
+ }
+
+ # Now check the result
+
+ # An error may have occurred with the login mechanism
+ if ($authres == AUTH_ERROR) {
+ ThrowCodeError("auth_err",
+ { authmethod => lc($authmethod),
+ userid => $userid,
+ auth_err_tag => $extra,
+ info => $info
+ });
+ }
+
+ # We can load the page if the login was ok, or there was no data
+ # but a login wasn't required
+ if ($authres == AUTH_OK ||
+ ($authres == AUTH_NODATA && $type == LOGIN_OPTIONAL)) {
+
+ # login succeded, so we're done
+ return $userid;
+ }
+
+ # No login details were given, but we require a login if the
+ # page does
+ if ($authres == AUTH_NODATA && $type == LOGIN_REQUIRED) {
+ # Throw up the login page
+
+ print Bugzilla->cgi->header();
+
+ my $template = Bugzilla->template;
+ $template->process("account/auth/login.html.tmpl",
+ { 'target' => $cgi->url(-relative=>1),
+ 'form' => \%::FORM,
+ 'mform' => \%::MFORM,
+ 'caneditaccount' => Bugzilla::Auth->can_edit,
+ }
+ )
+ || ThrowTemplateError($template->error());
+
+ # This seems like as good as time as any to get rid of old
+ # crufty junk in the logincookies table. Get rid of any entry
+ # that hasn't been used in a month.
+ Bugzilla->dbh->do("DELETE FROM logincookies " .
+ "WHERE TO_DAYS(NOW()) - TO_DAYS(lastused) > 30");
+
+ exit;
+ }
+
+ # The username/password may be wrong
+ # Don't let the user know whether the username exists or whether
+ # the password was just wrong. (This makes it harder for a cracker
+ # to find account names by brute force)
+ if ($authres == AUTH_LOGINFAILED) {
+ ThrowUserError("invalid_username_or_password");
+ }
+
+ # The account may be disabled
+ if ($authres == AUTH_DISABLED) {
+ clear_browser_cookies();
+ # and throw a user error
+ ThrowUserError("account_disabled",
+ {'disabled_reason' => $extra});
+ }
+
+ # If we get here, then we've run out of options, which shouldn't happen
+ ThrowCodeError("authres_unhandled", { authres => $authres,
+ type => $type, });
+}
+
+# Logs user out, according to the option provided; this consists of
+# removing entries from logincookies for the specified $user.
+sub logout {
+ my ($class, $user, $option) = @_;
+ my $dbh = Bugzilla->dbh;
+ $option = LOGOUT_ALL unless defined $option;
+
+ if ($option == LOGOUT_ALL) {
+ $dbh->do("DELETE FROM logincookies WHERE userid = ?",
+ undef, $user->id);
+ return;
+ }
+
+ # The LOGOUT_*_CURRENT options require a cookie
+ my $cookie = Bugzilla->cgi->cookie("Bugzilla_logincookie");
+ detaint_natural($cookie);
+
+ # These queries use both the cookie ID and the user ID as keys. Even
+ # though we know the userid must match, we still check it in the SQL
+ # as a sanity check, since there is no locking here, and if the user
+ # logged out from two machines simultaneously, while someone else
+ # logged in and got the same cookie, we could be logging the other
+ # user out here. Yes, this is very very very unlikely, but why take
+ # chances? - bbaetz
+ if ($option == LOGOUT_KEEP_CURRENT) {
+ $dbh->do("DELETE FROM logincookies WHERE cookie != ? AND userid = ?",
+ undef, $cookie, $user->id);
+ } elsif ($option == LOGOUT_CURRENT) {
+ $dbh->do("DELETE FROM logincookies WHERE cookie = ? AND userid = ?",
+ undef, $cookie, $user->id);
+ } else {
+ die("Invalid option $option supplied to logout()");
+ }
+}
+
+sub clear_browser_cookies {
+ my $cgi = Bugzilla->cgi;
+ $cgi->remove_cookie('Bugzilla_login');
+ $cgi->remove_cookie('Bugzilla_logincookie');
+}
+
+1;
+
+__END__
+
+=head1 NAME
+
+Bugzilla::Auth::CGI - CGI-based logins for Bugzilla
+
+=head1 SUMMARY
+
+This is a L<login module|Bugzilla::Auth/"LOGIN"> for Bugzilla. Users connecting
+from a CGI script use this module to authenticate. Logouts are also handled here.
+
+=head1 BEHAVIOUR
+
+Users are first authenticated against the default authentication handler,
+using the CGI parameters I<Bugzilla_login> and I<Bugzilla_password>.
+
+If no data is present for that, then cookies are tried, using
+L<Bugzilla::Auth::Cookie>.
+
+=head1 SEE ALSO
+
+L<Bugzilla::Auth>
--- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/Cookie.pm 2006-01-27 22:04:21 UTC (rev 3)
+++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/Cookie.pm 2006-01-27 22:10:19 UTC (rev 4)
@@ -0,0 +1,113 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Terry Weissman <terry@mozilla.org>
+# Dan Mosedale <dmose@mozilla.org>
+# Joe Robins <jmrobins@tgix.com>
+# Dave Miller <justdave@syndicomm.com>
+# Christopher Aillon <christopher@aillon.com>
+# Gervase Markham <gerv@gerv.net>
+# Christian Reis <kiko@async.com.br>
+# Bradley Baetz <bbaetz@acm.org>
+
+package Bugzilla::Auth::Cookie;
+
+use strict;
+
+use Bugzilla::Auth;
+use Bugzilla::Config;
+use Bugzilla::Constants;
+use Bugzilla::Util;
+
+sub authenticate {
+ my ($class, $login, $login_cookie) = @_;
+
+ return (AUTH_NODATA) unless defined $login && defined $login_cookie;
+
+ my $cgi = Bugzilla->cgi;
+
+ my $ipaddr = $cgi->remote_addr();
+ my $netaddr = Bugzilla::Auth::get_netaddr($ipaddr);
+
+ # Anything goes for these params - they're just strings which
+ # we're going to verify against the db
+ trick_taint($login);
+ trick_taint($login_cookie);
+ trick_taint($ipaddr);
+
+ my $query = "SELECT profiles.userid, profiles.disabledtext " .
+ "FROM logincookies, profiles " .
+ "WHERE logincookies.cookie=? AND " .
+ " logincookies.userid=profiles.userid AND " .
+ " logincookies.userid=? AND " .
+ " (logincookies.ipaddr=?";
+ my @params = ($login_cookie, $login, $ipaddr);
+ if (defined $netaddr) {
+ trick_taint($netaddr);
+ $query .= " OR logincookies.ipaddr=?";
+ push(@params, $netaddr);
+ }
+ $query .= ")";
+
+ my $dbh = Bugzilla->dbh;
+ my ($userid, $disabledtext) = $dbh->selectrow_array($query, undef, @params);
+
+ return (AUTH_DISABLED, $userid, $disabledtext)
+ if ($disabledtext);
+
+ if ($userid) {
+ # If we logged in successfully, then update the lastused time on the
+ # login cookie
+ $dbh->do("UPDATE logincookies SET lastused=NULL WHERE cookie=?",
+ undef,
+ $login_cookie);
+
+ return (AUTH_OK, $userid);
+ }
+
+ # If we get here, then the login failed.
+ return (AUTH_LOGINFAILED);
+}
+
+1;
+
+__END__
+
+=head1 NAME
+
+Bugzilla::Cookie - cookie authentication for Bugzilla
+
+=head1 SUMMARY
+
+This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for
+Bugzilla, which logs the user in using a persistent cookie stored in the
+C<logincookies> table.
+
+The actual password is not stored in the cookie; only the userid and a
+I<logincookie> (which is used to reverify the login without requiring the
+password to be sent over the network) are. These I<logincookies> are
+restricted to certain IP addresses as a security meaure. The exact
+restriction can be specified by the admin via the C<loginnetmask> parameter.
+
+This module does not ever send a cookie (It has no way of knowing when a user
+is successfully logged in). Instead L<Bugzilla::Auth::CGI> handles this.
+
+=head1 SEE ALSO
+
+L<Bugzilla::Auth>, L<Bugzilla::Auth::CGI>
--- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/DB.pm 2006-01-27 22:04:21 UTC (rev 3)
+++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/DB.pm 2006-01-27 22:10:19 UTC (rev 4)
@@ -0,0 +1,124 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Terry Weissman <terry@mozilla.org>
+# Dan Mosedale <dmose@mozilla.org>
+# Joe Robins <jmrobins@tgix.com>
+# Dave Miller <justdave@syndicomm.com>
+# Christopher Aillon <christopher@aillon.com>
+# Gervase Markham <gerv@gerv.net>
+# Christian Reis <kiko@async.com.br>
+# Bradley Baetz <bbaetz@acm.org>
+
+package Bugzilla::Auth::DB;
+
+use strict;
+
+use Bugzilla::Config;
+use Bugzilla::Constants;
+use Bugzilla::Util;
+
+sub authenticate {
+ my ($class, $username, $passwd) = @_;
+
+ return (AUTH_NODATA) unless defined $username && defined $passwd;
+
+ # We're just testing against the db: any value is ok
+ trick_taint($username);
+
+ my $userid = $class->get_id_from_username($username);
+ return (AUTH_LOGINFAILED) unless defined $userid;
+
+ return (AUTH_LOGINFAILED, $userid)
+ unless $class->check_password($userid, $passwd);
+
+ # The user's credentials are okay, so delete any outstanding
+ # password tokens they may have generated.
+ require Bugzilla::Token;
+ Bugzilla::Token::DeletePasswordTokens($userid, "user_logged_in");
+
+ # Account may have been disabled
+ my $disabledtext = $class->get_disabled($userid);
+ return (AUTH_DISABLED, $userid, $disabledtext)
+ if $disabledtext ne '';
+
+ return (AUTH_OK, $userid);
+}
+
+sub can_edit { return 1; }
+
+sub get_id_from_username {
+ my ($class, $username) = @_;
+ my $dbh = Bugzilla->dbh;
+ my $sth = $dbh->prepare_cached("SELECT userid FROM profiles " .
+ "WHERE login_name=?");
+ my ($userid) = $dbh->selectrow_array($sth, undef, $username);
+ return $userid;
+}
+
+sub get_disabled {
+ my ($class, $userid) = @_;
+ my $dbh = Bugzilla->dbh;
+ my $sth = $dbh->prepare_cached("SELECT disabledtext FROM profiles " .
+ "WHERE userid=?");
+ my ($text) = $dbh->selectrow_array($sth, undef, $userid);
+ return $text;
+}
+
+sub check_password {
+ my ($class, $userid, $passwd) = @_;
+ my $dbh = Bugzilla->dbh;
+ my $sth = $dbh->prepare_cached("SELECT cryptpassword FROM profiles " .
+ "WHERE userid=?");
+ my ($realcryptpwd) = $dbh->selectrow_array($sth, undef, $userid);
+
+ # Get the salt from the user's crypted password.
+ my $salt = $realcryptpwd;
+
+ # Using the salt, crypt the password the user entered.
+ my $enteredCryptedPassword = crypt($passwd, $salt);
+
+ return $enteredCryptedPassword eq $realcryptpwd;
+}
+
+sub change_password {
+ my ($class, $userid, $password) = @_;
+ my $dbh = Bugzilla->dbh;
+ my $cryptpassword = Crypt($password);
+ $dbh->do("UPDATE profiles SET cryptpassword = ? WHERE userid = ?",
+ undef, $cryptpassword, $userid);
+}
+
+1;
+
+__END__
+
+=head1 NAME
+
+Bugzilla::Auth::DB - database authentication for Bugzilla
+
+=head1 SUMMARY
+
+This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for
+Bugzilla, which logs the user in using the password stored in the C<profiles>
+table. This is the most commonly used authentication module.
+
+=head1 SEE ALSO
+
+L<Bugzilla::Auth>
--- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/LDAP.pm 2006-01-27 22:04:21 UTC (rev 3)
+++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/LDAP.pm 2006-01-27 22:10:19 UTC (rev 4)
@@ -0,0 +1,185 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Terry Weissman <terry@mozilla.org>
+# Dan Mosedale <dmose@mozilla.org>
+# Joe Robins <jmrobins@tgix.com>
+# Dave Miller <justdave@syndicomm.com>
+# Christopher Aillon <christopher@aillon.com>
+# Gervase Markham <gerv@gerv.net>
+# Christian Reis <kiko@async.com.br>
+# Bradley Baetz <bbaetz@acm.org>
+
+package Bugzilla::Auth::LDAP;
+
+use strict;
+
+use Bugzilla::Config;
+use Bugzilla::Constants;
+
+use Net::LDAP;
+
+sub authenticate {
+ my ($class, $username, $passwd) = @_;
+
+ # If no password was provided, then fail the authentication.
+ # While it may be valid to not have an LDAP password, when you
+ # bind without a password (regardless of the binddn value), you
+ # will get an anonymous bind. I do not know of a way to determine
+ # whether a bind is anonymous or not without making changes to the
+ # LDAP access control settings
+ return (AUTH_NODATA) unless $username && $passwd;
+
+ # We need to bind anonymously to the LDAP server. This is
+ # because we need to get the Distinguished Name of the user trying
+ # to log in. Some servers (such as iPlanet) allow you to have unique
+ # uids spread out over a subtree of an area (such as "People"), so
+ # just appending the Base DN to the uid isn't sufficient to get the
+ # user's DN. For servers which don't work this way, there will still
+ # be no harm done.
+ my $LDAPserver = Param("LDAPserver");
+ if ($LDAPserver eq "") {
+ return (AUTH_ERROR, undef, "server_not_defined");
+ }
+
+ my $LDAPport = "389"; # default LDAP port
+ if($LDAPserver =~ /:/) {
+ ($LDAPserver, $LDAPport) = split(":",$LDAPserver);
+ }
+ my $LDAPconn = Net::LDAP->new($LDAPserver, port => $LDAPport, version => 3);
+ if(!$LDAPconn) {
+ return (AUTH_ERROR, undef, "connect_failed");
+ }
+
+ my $mesg;
+ if (Param("LDAPbinddn")) {
+ my ($LDAPbinddn,$LDAPbindpass) = split(":",Param("LDAPbinddn"));
+ $mesg = $LDAPconn->bind($LDAPbinddn, password => $LDAPbindpass);
+ }
+ else {
+ $mesg = $LDAPconn->bind();
+ }
+ if($mesg->code) {
+ return (AUTH_ERROR, undef,
+ "connect_failed",
+ { errstr => $mesg->error });
+ }
+
+ # We've got our anonymous bind; let's look up this user.
+ $mesg = $LDAPconn->search( base => Param("LDAPBaseDN"),
+ scope => "sub",
+ filter => '(&(' . Param("LDAPuidattribute") . "=$username)" . Param("LDAPfilter") . ')',
+ attrs => ['dn'],
+ );
+ return (AUTH_LOGINFAILED, undef, "lookup_failure")
+ unless $mesg->count;
+
+ # Now we get the DN from this search.
+ my $userDN = $mesg->shift_entry->dn;
+
+ # Now we attempt to bind as the specified user.
+ $mesg = $LDAPconn->bind( $userDN, password => $passwd);
+
+ return (AUTH_LOGINFAILED) if $mesg->code;
+
+ # And now we're going to repeat the search, so that we can get the
+ # mail attribute for this user.
+ $mesg = $LDAPconn->search( base => Param("LDAPBaseDN"),
+ scope => "sub",
+ filter => '(&(' . Param("LDAPuidattribute") . "=$username)" . Param("LDAPfilter") . ')',
+ );
+ my $user_entry = $mesg->shift_entry if !$mesg->code && $mesg->count;
+ if(!$user_entry || !$user_entry->exists(Param("LDAPmailattribute"))) {
+ return (AUTH_ERROR, undef,
+ "cannot_retreive_attr",
+ { attr => Param("LDAPmailattribute") });
+ }
+
+ # get the mail attribute
+ $username = $user_entry->get_value(Param("LDAPmailattribute"));
+ # OK, so now we know that the user is valid. Lets try finding them in the
+ # Bugzilla database
+
+ # XXX - should this part be made more generic, and placed in
+ # Bugzilla::Auth? Lots of login mechanisms may have to do this, although
+ # until we actually get some more, its hard to know - BB
+
+ my $dbh = Bugzilla->dbh;
+ my $sth = $dbh->prepare_cached("SELECT userid, disabledtext " .
+ "FROM profiles " .
+ "WHERE login_name=?");
+ my ($userid, $disabledtext) =
+ $dbh->selectrow_array($sth,
+ undef,
+ $username);
+
+ # If the user doesn't exist, then they need to be added
+ unless ($userid) {
+ # We'll want the user's name for this.
+ my $userRealName = $user_entry->get_value("displayName");
+ if($userRealName eq "") {
+ $userRealName = $user_entry->get_value("cn");
+ }
+ &::InsertNewUser($username, $userRealName);
+
+ ($userid, $disabledtext) = $dbh->selectrow_array($sth,
+ undef,
+ $username);
+ return (AUTH_ERROR, $userid, "no_userid")
+ unless $userid;
+ }
+
+ # we're done, so disconnect
+ $LDAPconn->unbind;
+
+ # Test for disabled account
+ return (AUTH_DISABLED, $userid, $disabledtext)
+ if $disabledtext ne '';
+
+ # If we get to here, then the user is allowed to login, so we're done!
+ return (AUTH_OK, $userid);
+}
+
+sub can_edit { return 0; }
+
+1;
+
+__END__
+
+=head1 NAME
+
+Bugzilla::Auth::LDAP - LDAP based authentication for Bugzilla
+
+This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for
+Bugzilla, which logs the user in using an LDAP directory.
+
+=head1 DISCLAIMER
+
+B<This module is experimental>. It is poorly documented, and not very flexible.
+Search L<http://bugzilla.mozilla.org/> for a list of known LDAP bugs.
+
+None of the core Bugzilla developers, nor any of the large installations, use
+this module, and so it has received less testing. (In fact, this iteration
+hasn't been tested at all)
+
+Patches are accepted.
+
+=head1 SEE ALSO
+
+L<Bugzilla::Auth>
--- trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/ROSCMS.pm 2006-01-27 22:04:21 UTC (rev 3)
+++ trunk/web/reactos.org/htdocs/bugzilla/Bugzilla/Auth/ROSCMS.pm 2006-01-27 22:10:19 UTC (rev 4)
@@ -0,0 +1,215 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Terry Weissman <terry@mozilla.org>
+# Dan Mosedale <dmose@mozilla.org>
+# Joe Robins <jmrobins@tgix.com>
+# Dave Miller <justdave@syndicomm.com>
+# Christopher Aillon <christopher@aillon.com>
+# Gervase Markham <gerv@gerv.net>
+# Christian Reis <kiko@async.com.br>
+# Bradley Baetz <bbaetz@acm.org>
+
+package Bugzilla::Auth::ROSCMS;
+
+use strict;
+
+use URI;
+use URI::Escape;
+
+use Bugzilla::Config;
+use Bugzilla::Constants;
+use Bugzilla::Error;
+use Bugzilla::Util;
+
+my $session_cookie_name = "roscmsusrkey";
+my $roscms_db_name = "roscms";
+my $roscms_login_page = "/roscms/?page=login&target=";
+
+sub authenticate {
+ my ($class, $username, $passwd) = @_;
+
+ return (AUTH_NODATA) unless defined $username && defined $passwd;
+
+ # We're just testing against the db: any value is ok
+ trick_taint($username);
+
+ my $userid = $class->get_id_from_username($username);
+ return (AUTH_LOGINFAILED) unless defined $userid;
+
+ return (AUTH_LOGINFAILED, $userid)
+ unless $class->check_password($userid, $passwd);
+
+ # The user's credentials are okay, so delete any outstanding
+ # password tokens they may have generated.
+ require Bugzilla::Token;
+ Bugzilla::Token::DeletePasswordTokens($userid, "user_logged_in");
+
+ # Account may have been disabled
+ my $disabledtext = $class->get_disabled($userid);
+ return (AUTH_DISABLED, $userid, $disabledtext)
+ if $disabledtext ne '';
+
+ return (AUTH_OK, $userid);
+}
+
+sub can_edit { return 1; }
+
+sub get_id_from_username {
+ my ($class, $username) = @_;
+ my $dbh = Bugzilla->dbh;
+ my $sth = $dbh->prepare_cached("SELECT userid FROM profiles " .
+ "WHERE login_name=?");
+ my ($userid) = $dbh->selectrow_array($sth, undef, $username);
+ return $userid;
+}
+
+sub get_disabled {
+ my ($class, $userid) = @_;
+ my $dbh = Bugzilla->dbh;
+ my $sth = $dbh->prepare_cached("SELECT disabledtext FROM profiles " .
+ "WHERE userid=?");
+ my ($text) = $dbh->selectrow_array($sth, undef, $userid);
+ return $text;
+}
+
+sub check_password {
+ my ($class, $userid, $passwd) = @_;
+ my $dbh = Bugzilla->dbh;
+ my $sth = $dbh->prepare_cached("SELECT cryptpassword FROM profiles " .
+ "WHERE userid=?");
+ my ($realcryptpwd) = $dbh->selectrow_array($sth, undef, $userid);
+
+ # Get the salt from the user's crypted password.
+ my $salt = $realcryptpwd;
+
+ # Using the salt, crypt the password the user entered.
+ my $enteredCryptedPassword = crypt($passwd, $salt);
+
+ return $enteredCryptedPassword eq $realcryptpwd;
+}
+
+sub change_password {
+ my ($class, $userid, $password) = @_;
+ my $dbh = Bugzilla->dbh;
+ my $cryptpassword = Crypt($password);
+ $dbh->do("UPDATE profiles SET cryptpassword = ? WHERE userid = ?",
+ undef, $cryptpassword, $userid);
+}
+
+sub login {
+ my ($class, $type) = @_;
+
+ # 'NORMAL' logins depend on the 'requirelogin' param
+ if ($type == LOGIN_NORMAL) {
+ $type = Param('requirelogin') ? LOGIN_REQUIRED : LOGIN_OPTIONAL;
+ }
+
+ my $cgi = Bugzilla->cgi;
+
+ my $authres;
+ my $userid;
+ my $session_id = $cgi->cookie($session_cookie_name);
+ if (! defined($session_id)) {
+ $authres = AUTH_NODATA;
+ } else {
+ my $session_id_clean = $session_id;
+ trick_taint($session_id_clean);
+ my $remote_addr_clean;
+ if ($ENV{'REMOTE_ADDR'} =~ m/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) {
+ $remote_addr_clean = $1;
+ } else {
+ $remote_addr_clean = 'invalid';
+ }
+ my $browser_agent_clean = $ENV{'HTTP_USER_AGENT'};
+ trick_taint($browser_agent_clean);
+ my $query = "SELECT m.map_subsys_userid " .
+ " FROM $roscms_db_name.user_sessions s, " .
+ " $roscms_db_name.users u, " .
+ " $roscms_db_name.subsys_mappings m " .
+ " WHERE s.usersession_id = ? " .
+ " AND (s.usersession_expires IS NULL OR " .
+ " NOW() <= s.usersession_expires) " .
+ " AND u.user_id = s.usersession_user_id " .
+ " AND (u.user_setting_ipaddress = 'false' OR " .
+ " s.usersession_ipaddress = ?) " .
+ " AND (u.user_setting_browseragent = 'false' OR " .
+ " s.usersession_browseragent = ?) " .
+ " AND m.map_roscms_userid = s.usersession_user_id " .
+ " AND m.map_subsys_name = 'bugzilla'";
+ my @params = ($session_id_clean, $remote_addr_clean,
+ $browser_agent_clean);
+ my $dbh = Bugzilla->dbh;
+ ($userid) = $dbh->selectrow_array($query, undef, @params);
+ if ($userid) {
[truncated at 1000 lines; 543895 more skipped]