Bugzilla 2.18.3 vendor drop
Added: vendor/bugzilla/
Added: vendor/bugzilla/current/
Added: vendor/bugzilla/current/1x1.gif
Added: vendor/bugzilla/current/Bugzilla/
Added: vendor/bugzilla/current/Bugzilla/.cvsignore
Added: vendor/bugzilla/current/Bugzilla/Attachment.pm
Added: vendor/bugzilla/current/Bugzilla/Auth/
Added: vendor/bugzilla/current/Bugzilla/Auth/CGI.pm
Added: vendor/bugzilla/current/Bugzilla/Auth/Cookie.pm
Added: vendor/bugzilla/current/Bugzilla/Auth/DB.pm
Added: vendor/bugzilla/current/Bugzilla/Auth/LDAP.pm
Added: vendor/bugzilla/current/Bugzilla/Auth.pm
Added: vendor/bugzilla/current/Bugzilla/Bug.pm
Added: vendor/bugzilla/current/Bugzilla/BugMail.pm
Added: vendor/bugzilla/current/Bugzilla/CGI.pm
Added: vendor/bugzilla/current/Bugzilla/Chart.pm
Added: vendor/bugzilla/current/Bugzilla/Config.pm
Added: vendor/bugzilla/current/Bugzilla/Constants.pm
Added: vendor/bugzilla/current/Bugzilla/DB.pm
Added: vendor/bugzilla/current/Bugzilla/Error.pm
Added: vendor/bugzilla/current/Bugzilla/Flag.pm
Added: vendor/bugzilla/current/Bugzilla/FlagType.pm
Added: vendor/bugzilla/current/Bugzilla/RelationSet.pm
Added: vendor/bugzilla/current/Bugzilla/Search.pm
Added: vendor/bugzilla/current/Bugzilla/Series.pm
Added: vendor/bugzilla/current/Bugzilla/Template/
Added: vendor/bugzilla/current/Bugzilla/Template/Plugin/
Added: vendor/bugzilla/current/Bugzilla/Template/Plugin/Bugzilla.pm
Added: vendor/bugzilla/current/Bugzilla/Template/Plugin/Hook.pm
Added: vendor/bugzilla/current/Bugzilla/Template.pm
Added: vendor/bugzilla/current/Bugzilla/Token.pm
Added: vendor/bugzilla/current/Bugzilla/User.pm
Added: vendor/bugzilla/current/Bugzilla/Util.pm
Added: vendor/bugzilla/current/Bugzilla.pm
Added: vendor/bugzilla/current/CGI.pl
Added: vendor/bugzilla/current/QUICKSTART
Added: vendor/bugzilla/current/README
Added: vendor/bugzilla/current/UPGRADING
Added: vendor/bugzilla/current/UPGRADING-pre-2.8
Added: vendor/bugzilla/current/ant.jpg
Added: vendor/bugzilla/current/attachment.cgi
Added: vendor/bugzilla/current/buglist.cgi
Added: vendor/bugzilla/current/bugzilla.dtd
Added: vendor/bugzilla/current/chart.cgi
Added: vendor/bugzilla/current/checksetup.pl
Added: vendor/bugzilla/current/colchange.cgi
Added: vendor/bugzilla/current/collectstats.pl
Added: vendor/bugzilla/current/config.cgi
Added: vendor/bugzilla/current/contrib/
Added: vendor/bugzilla/current/contrib/BugzillaEmail.pm
Added: vendor/bugzilla/current/contrib/README
Added: vendor/bugzilla/current/contrib/README.Mailif
Added: vendor/bugzilla/current/contrib/bug_email.pl
Added: vendor/bugzilla/current/contrib/bugmail_help.html
Added: vendor/bugzilla/current/contrib/bugzilla-submit/
Added: vendor/bugzilla/current/contrib/bugzilla-submit/README
Added: vendor/bugzilla/current/contrib/bugzilla-submit/bugdata.txt
Added: vendor/bugzilla/current/contrib/bugzilla-submit/bugzilla-submit
Added: vendor/bugzilla/current/contrib/bugzilla-submit/bugzilla-submit.xml
Added: vendor/bugzilla/current/contrib/bugzilla.procmailrc
Added: vendor/bugzilla/current/contrib/bugzilla_email_append.pl
Added: vendor/bugzilla/current/contrib/bugzilla_ldapsync.rb
Added: vendor/bugzilla/current/contrib/cmdline/
Added: vendor/bugzilla/current/contrib/cmdline/bugcount
Added: vendor/bugzilla/current/contrib/cmdline/bugids
Added: vendor/bugzilla/current/contrib/cmdline/buglist
Added: vendor/bugzilla/current/contrib/cmdline/bugs
Added: vendor/bugzilla/current/contrib/cmdline/bugslink
Added: vendor/bugzilla/current/contrib/cmdline/makequery
Added: vendor/bugzilla/current/contrib/cmdline/query.conf
Added: vendor/bugzilla/current/contrib/cvs-update.pl
Added: vendor/bugzilla/current/contrib/gnats2bz.pl
Added: vendor/bugzilla/current/contrib/gnatsparse/
Added: vendor/bugzilla/current/contrib/gnatsparse/README
Added: vendor/bugzilla/current/contrib/gnatsparse/gnatsparse.py
Added: vendor/bugzilla/current/contrib/gnatsparse/magic.py
Added: vendor/bugzilla/current/contrib/gnatsparse/specialuu.py
Added: vendor/bugzilla/current/contrib/jb2bz.py
Added: vendor/bugzilla/current/contrib/mysqld-watcher.pl
Added: vendor/bugzilla/current/contrib/sendbugmail.pl
Added: vendor/bugzilla/current/contrib/sendunsentbugmail.pl
Added: vendor/bugzilla/current/contrib/syncLDAP.pl
Added: vendor/bugzilla/current/contrib/yp_nomail.sh
Added: vendor/bugzilla/current/createaccount.cgi
Added: vendor/bugzilla/current/css/
Added: vendor/bugzilla/current/css/buglist.css
Added: vendor/bugzilla/current/css/duplicates.css
Added: vendor/bugzilla/current/css/global.css
Added: vendor/bugzilla/current/css/panel.css
Added: vendor/bugzilla/current/css/show_multiple.css
Added: vendor/bugzilla/current/defparams.pl
Added: vendor/bugzilla/current/describecomponents.cgi
Added: vendor/bugzilla/current/describekeywords.cgi
Added: vendor/bugzilla/current/docs/
Added: vendor/bugzilla/current/docs/.cvsignore
Added: vendor/bugzilla/current/docs/README.docs
Added: vendor/bugzilla/current/docs/html/
Added: vendor/bugzilla/current/docs/html/Bugzilla-Guide.html
Added: vendor/bugzilla/current/docs/html/about.html
Added: vendor/bugzilla/current/docs/html/administration.html
[truncated at 100 lines; 364 more skipped]
Added: vendor/bugzilla/current/1x1.gif
(Binary files differ)
Property changes on: vendor/bugzilla/current/1x1.gif
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: vendor/bugzilla/current/Bugzilla/.cvsignore
--- vendor/bugzilla/current/Bugzilla/.cvsignore	2005-10-25 14:03:20 UTC (rev 18767)
+++ vendor/bugzilla/current/Bugzilla/.cvsignore	2005-10-25 15:05:06 UTC (rev 18768)
@@ -0,0 +1 @@
+.htaccess
Property changes on: vendor/bugzilla/current/Bugzilla/.cvsignore
___________________________________________________________________
Name: svn:eol-style
   + native

Added: vendor/bugzilla/current/Bugzilla/Attachment.pm
--- vendor/bugzilla/current/Bugzilla/Attachment.pm	2005-10-25 14:03:20 UTC (rev 18767)
+++ vendor/bugzilla/current/Bugzilla/Attachment.pm	2005-10-25 15:05:06 UTC (rev 18768)
@@ -0,0 +1,108 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Terry Weissman <terry@mozilla.org>
+#                 Myk Melez <myk@mozilla.org>
+
+############################################################################
+# Module Initialization
+############################################################################
+
+use strict;
+
+package Bugzilla::Attachment;
+
+# This module requires that its caller have said "require CGI.pl" to import
+# relevant functions from that script and its companion globals.pl.
+
+# Use the Flag module to handle flags.
+use Bugzilla::Flag;
+
+############################################################################
+# Functions
+############################################################################
+
+sub new {
+    # Returns a hash of information about the attachment with the given ID.
+
+    my ($invocant, $id) = @_;
+    return undef if !$id;
+    my $self = { 'id' => $id };
+    my $class = ref($invocant) || $invocant;
+    bless($self, $class);
+    
+    &::PushGlobalSQLState();
+    &::SendSQL("SELECT 1, description, bug_id, isprivate FROM attachments " . 
+               "WHERE attach_id = $id");
+    ($self->{'exists'},
+     $self->{'summary'},
+     $self->{'bug_id'},
+     $self->{'isprivate'}) = &::FetchSQLData();
+    &::PopGlobalSQLState();
+
+    return $self;
+}
+
+sub query
+{
+  # Retrieves and returns an array of attachment records for a given bug. 
+  # This data should be given to attachment/list.atml in an
+  # "attachments" variable.
+  my ($bugid) = @_;
+
+  my $in_editbugs = &::UserInGroup("editbugs");
+  &::SendSQL("SELECT product_id
+           FROM bugs 
+           WHERE bug_id = $bugid");
+  my $productid = &::FetchOneColumn();
+  my $caneditproduct = &::CanEditProductId($productid);
+
+  # Retrieve a list of attachments for this bug and write them into an array
+  # of hashes in which each hash represents a single attachment.
+  &::SendSQL("
+              SELECT attach_id, DATE_FORMAT(creation_ts, '%Y.%m.%d %H:%i'),
+              mimetype, description, ispatch, isobsolete, isprivate, 
+              submitter_id, LENGTH(thedata)
+              FROM attachments WHERE bug_id = $bugid ORDER BY attach_id
+            ");
+  my @attachments = ();
+  while (&::MoreSQLData()) {
+    my %a;
+    my $submitter_id;
+    ($a{'attachid'}, $a{'date'}, $a{'contenttype'}, $a{'description'},
+     $a{'ispatch'}, $a{'isobsolete'}, $a{'isprivate'}, $submitter_id, 
+     $a{'datasize'}) = &::FetchSQLData();
+
+    # Retrieve a list of flags for this attachment.
+    $a{'flags'} = Bugzilla::Flag::match({ 'attach_id' => $a{'attachid'},
+                                          'is_active' => 1 });
+    
+    # We will display the edit link if the user can edit the attachment;
+    # ie the are the submitter, or they have canedit.
+    # Also show the link if the user is not logged in - in that cae,
+    # They'll be prompted later
+    $a{'canedit'} = ($::userid == 0 || (($submitter_id == $::userid ||
+                     $in_editbugs) && $caneditproduct));
+    push @attachments, \%a;
+  }
+  
+  return \@attachments;  
+}
+
+1;
Property changes on: vendor/bugzilla/current/Bugzilla/Attachment.pm
___________________________________________________________________
Name: svn:eol-style
   + native

Added: vendor/bugzilla/current/Bugzilla/Auth/CGI.pm
--- vendor/bugzilla/current/Bugzilla/Auth/CGI.pm	2005-10-25 14:03:20 UTC (rev 18767)
+++ vendor/bugzilla/current/Bugzilla/Auth/CGI.pm	2005-10-25 15:05:06 UTC (rev 18768)
@@ -0,0 +1,247 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Terry Weissman <terry@mozilla.org>
+#                 Dan Mosedale <dmose@mozilla.org>
+#                 Joe Robins <jmrobins@tgix.com>
+#                 Dave Miller <justdave@syndicomm.com>
+#                 Christopher Aillon <christopher@aillon.com>
+#                 Gervase Markham <gerv@gerv.net>
+#                 Christian Reis <kiko@async.com.br>
+#                 Bradley Baetz <bbaetz@acm.org>
+
+package Bugzilla::Auth::CGI;
+
+use strict;
+
+use Bugzilla::Config;
+use Bugzilla::Constants;
+use Bugzilla::Error;
+use Bugzilla::Util;
+
+sub login {
+    my ($class, $type) = @_;
+
+    # 'NORMAL' logins depend on the 'requirelogin' param
+    if ($type == LOGIN_NORMAL) {
+        $type = Param('requirelogin') ? LOGIN_REQUIRED : LOGIN_OPTIONAL;
+    }
+
+    my $cgi = Bugzilla->cgi;
+
+    # First, try the actual login method against form variables
+    my $username = $cgi->param("Bugzilla_login");
+    my $passwd = $cgi->param("Bugzilla_password");
+    
+    $cgi->delete('Bugzilla_login', 'Bugzilla_password');
+
+    my $authmethod = Param("loginmethod");
+    my ($authres, $userid, $extra, $info) =
+      Bugzilla::Auth->authenticate($username, $passwd);
+
+    if ($authres == AUTH_OK) {
+        # Login via username/password was correct and valid, so create
+        # and send out the login cookies
+        my $ipaddr = $cgi->remote_addr;
+        unless ($cgi->param('Bugzilla_restrictlogin') ||
+                Param('loginnetmask') == 32) {
+            $ipaddr = Bugzilla::Auth::get_netaddr($ipaddr);
+        }
+
+        # The IP address is valid, at least for comparing with itself in a
+        # subsequent login
+        trick_taint($ipaddr);
+
+        my $dbh = Bugzilla->dbh;
+        $dbh->do("INSERT INTO logincookies (userid, ipaddr) VALUES (?, ?)",
+                 undef,
+                 $userid, $ipaddr);
+        my $logincookie = $dbh->selectrow_array("SELECT LAST_INSERT_ID()");
+
+        # Remember cookie only if admin has told so
+        # or admin didn't forbid it and user told to remember.
+        if ((Param('rememberlogin') eq 'on') ||
+            ((Param('rememberlogin') ne 'off') &&
+             ($cgi->param('Bugzilla_remember') eq 'on'))) {
+            $cgi->send_cookie(-name => 'Bugzilla_login',
+                              -value => $userid,
+                              -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
+            $cgi->send_cookie(-name => 'Bugzilla_logincookie',
+                              -value => $logincookie,
+                              -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
+
+        }
+        else {
+            $cgi->send_cookie(-name => 'Bugzilla_login',
+                              -value => $userid);
+            $cgi->send_cookie(-name => 'Bugzilla_logincookie',
+                              -value => $logincookie);
+
+        }
+    }
+    elsif ($authres == AUTH_NODATA) {
+        # No data from the form, so try to login via cookies
+        $username = $cgi->cookie("Bugzilla_login");
+        $passwd = $cgi->cookie("Bugzilla_logincookie");
+
+        require Bugzilla::Auth::Cookie;
+        my $authmethod = "Cookie";
+
+        ($authres, $userid, $extra) =
+          Bugzilla::Auth::Cookie->authenticate($username, $passwd);
+
+        # If the data for the cookie was incorrect, then treat that as
+        # NODATA. This could occur if the user's IP changed, for example.
+        # Give them un-loggedin access if allowed (checked below)
+        $authres = AUTH_NODATA if $authres == AUTH_LOGINFAILED;
+    }
+
+    # Now check the result
+
+    # An error may have occurred with the login mechanism
+    if ($authres == AUTH_ERROR) {
+        ThrowCodeError("auth_err",
+                       { authmethod => lc($authmethod),
+                         userid => $userid,
+                         auth_err_tag => $extra,
+                         info => $info
+                       });
+    }
+
+    # We can load the page if the login was ok, or there was no data
+    # but a login wasn't required
+    if ($authres == AUTH_OK ||
+        ($authres == AUTH_NODATA && $type == LOGIN_OPTIONAL)) {
+
+        # login succeded, so we're done
+        return $userid;
+    }
+
+    # No login details were given, but we require a login if the
+    # page does
+    if ($authres == AUTH_NODATA && $type == LOGIN_REQUIRED) {
+        # Throw up the login page
+
+        print Bugzilla->cgi->header();
+
+        my $template = Bugzilla->template;
+        $template->process("account/auth/login.html.tmpl",
+                           { 'target' => $cgi->url(-relative=>1),
+                             'form' => \%::FORM,
+                             'mform' => \%::MFORM,
+                             'caneditaccount' => Bugzilla::Auth->can_edit,
+                           }
+                          )
+          || ThrowTemplateError($template->error());
+
+        # This seems like as good as time as any to get rid of old
+        # crufty junk in the logincookies table.  Get rid of any entry
+        # that hasn't been used in a month.
+        Bugzilla->dbh->do("DELETE FROM logincookies " .
+                          "WHERE TO_DAYS(NOW()) - TO_DAYS(lastused) > 30");
+
+        exit;
+    }
+
+    # The username/password may be wrong
+    # Don't let the user know whether the username exists or whether
+    # the password was just wrong. (This makes it harder for a cracker
+    # to find account names by brute force)
+    if ($authres == AUTH_LOGINFAILED) {
+        ThrowUserError("invalid_username_or_password");
+    }
+
+    # The account may be disabled
+    if ($authres == AUTH_DISABLED) {
+        clear_browser_cookies();
+        # and throw a user error
+        ThrowUserError("account_disabled",
+                       {'disabled_reason' => $extra});
+    }
+
+    # If we get here, then we've run out of options, which shouldn't happen
+    ThrowCodeError("authres_unhandled", { authres => $authres, 
+                                          type => $type, });
+}
+
+# Logs user out, according to the option provided; this consists of
+# removing entries from logincookies for the specified $user.
+sub logout {
+    my ($class, $user, $option) = @_;
+    my $dbh = Bugzilla->dbh;
+    $option = LOGOUT_ALL unless defined $option;
+
+    if ($option == LOGOUT_ALL) {
+            $dbh->do("DELETE FROM logincookies WHERE userid = ?",
+                     undef, $user->id);
+            return;
+    }
+
+    # The LOGOUT_*_CURRENT options require a cookie 
+    my $cookie = Bugzilla->cgi->cookie("Bugzilla_logincookie");
+    detaint_natural($cookie);
+
+    # These queries use both the cookie ID and the user ID as keys. Even
+    # though we know the userid must match, we still check it in the SQL
+    # as a sanity check, since there is no locking here, and if the user
+    # logged out from two machines simultaneously, while someone else
+    # logged in and got the same cookie, we could be logging the other
+    # user out here. Yes, this is very very very unlikely, but why take
+    # chances? - bbaetz
+    if ($option == LOGOUT_KEEP_CURRENT) {
+        $dbh->do("DELETE FROM logincookies WHERE cookie != ? AND userid = ?",
+                 undef, $cookie, $user->id);
+    } elsif ($option == LOGOUT_CURRENT) {
+        $dbh->do("DELETE FROM logincookies WHERE cookie = ? AND userid = ?",
+                 undef, $cookie, $user->id);
+    } else {
+        die("Invalid option $option supplied to logout()");
+  }
+}
+
+sub clear_browser_cookies {
+    my $cgi = Bugzilla->cgi;
+    $cgi->remove_cookie('Bugzilla_login');
+    $cgi->remove_cookie('Bugzilla_logincookie');
+}
+
+1;
+
+__END__
+
+=head1 NAME
+
+Bugzilla::Auth::CGI - CGI-based logins for Bugzilla
+
+=head1 SUMMARY
+
+This is a L<login module|Bugzilla::Auth/"LOGIN"> for Bugzilla. Users connecting
+from a CGI script use this module to authenticate. Logouts are also handled here.
+
+=head1 BEHAVIOUR
+
+Users are first authenticated against the default authentication handler,
+using the CGI parameters I<Bugzilla_login> and I<Bugzilla_password>.
+
+If no data is present for that, then cookies are tried, using
+L<Bugzilla::Auth::Cookie>.
+
+=head1 SEE ALSO
+
+L<Bugzilla::Auth>
Property changes on: vendor/bugzilla/current/Bugzilla/Auth/CGI.pm
___________________________________________________________________
Name: svn:eol-style
   + native

Added: vendor/bugzilla/current/Bugzilla/Auth/Cookie.pm
--- vendor/bugzilla/current/Bugzilla/Auth/Cookie.pm	2005-10-25 14:03:20 UTC (rev 18767)
+++ vendor/bugzilla/current/Bugzilla/Auth/Cookie.pm	2005-10-25 15:05:06 UTC (rev 18768)
@@ -0,0 +1,113 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Terry Weissman <terry@mozilla.org>
+#                 Dan Mosedale <dmose@mozilla.org>
+#                 Joe Robins <jmrobins@tgix.com>
+#                 Dave Miller <justdave@syndicomm.com>
+#                 Christopher Aillon <christopher@aillon.com>
+#                 Gervase Markham <gerv@gerv.net>
+#                 Christian Reis <kiko@async.com.br>
+#                 Bradley Baetz <bbaetz@acm.org>
+
+package Bugzilla::Auth::Cookie;
+
+use strict;
+
+use Bugzilla::Auth;
+use Bugzilla::Config;
+use Bugzilla::Constants;
+use Bugzilla::Util;
+
+sub authenticate {
+    my ($class, $login, $login_cookie) = @_;
+
+    return (AUTH_NODATA) unless defined $login && defined $login_cookie;
+
+    my $cgi = Bugzilla->cgi;
+
+    my $ipaddr = $cgi->remote_addr();
+    my $netaddr = Bugzilla::Auth::get_netaddr($ipaddr);
+
+    # Anything goes for these params - they're just strings which
+    # we're going to verify against the db
+    trick_taint($login);
+    trick_taint($login_cookie);
+    trick_taint($ipaddr);
+
+    my $query = "SELECT profiles.userid, profiles.disabledtext " .
+                "FROM logincookies, profiles " .
+                "WHERE logincookies.cookie=? AND " .
+                "  logincookies.userid=profiles.userid AND " .
+                "  logincookies.userid=? AND " .
+                "  (logincookies.ipaddr=?";
+    my @params = ($login_cookie, $login, $ipaddr);
+    if (defined $netaddr) {
+        trick_taint($netaddr);
+        $query .= " OR logincookies.ipaddr=?";
+        push(@params, $netaddr);
+    }
+    $query .= ")";
+
+    my $dbh = Bugzilla->dbh;
+    my ($userid, $disabledtext) = $dbh->selectrow_array($query, undef, @params);
+
+    return (AUTH_DISABLED, $userid, $disabledtext)
+      if ($disabledtext);
+
+    if ($userid) {
+        # If we logged in successfully, then update the lastused time on the
+        # login cookie
+        $dbh->do("UPDATE logincookies SET lastused=NULL WHERE cookie=?",
+                 undef,
+                 $login_cookie);
+
+        return (AUTH_OK, $userid);
+    }
+
+    # If we get here, then the login failed.
+    return (AUTH_LOGINFAILED);
+}
+
+1;
+
+__END__
+
+=head1 NAME
+
+Bugzilla::Cookie - cookie authentication for Bugzilla
+
+=head1 SUMMARY
+
+This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for
+Bugzilla, which logs the user in using a persistent cookie stored in the
+C<logincookies> table.
+
+The actual password is not stored in the cookie; only the userid and a
+I<logincookie> (which is used to reverify the login without requiring the
+password to be sent over the network) are. These I<logincookies> are
+restricted to certain IP addresses as a security meaure. The exact
+restriction can be specified by the admin via the C<loginnetmask> parameter.
+
+This module does not ever send a cookie (It has no way of knowing when a user
+is successfully logged in). Instead L<Bugzilla::Auth::CGI> handles this.
+
+=head1 SEE ALSO
+
+L<Bugzilla::Auth>, L<Bugzilla::Auth::CGI>
Property changes on: vendor/bugzilla/current/Bugzilla/Auth/Cookie.pm
___________________________________________________________________
Name: svn:eol-style
   + native

Added: vendor/bugzilla/current/Bugzilla/Auth/DB.pm
--- vendor/bugzilla/current/Bugzilla/Auth/DB.pm	2005-10-25 14:03:20 UTC (rev 18767)
+++ vendor/bugzilla/current/Bugzilla/Auth/DB.pm	2005-10-25 15:05:06 UTC (rev 18768)
@@ -0,0 +1,124 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Terry Weissman <terry@mozilla.org>
+#                 Dan Mosedale <dmose@mozilla.org>
+#                 Joe Robins <jmrobins@tgix.com>
+#                 Dave Miller <justdave@syndicomm.com>
+#                 Christopher Aillon <christopher@aillon.com>
+#                 Gervase Markham <gerv@gerv.net>
+#                 Christian Reis <kiko@async.com.br>
+#                 Bradley Baetz <bbaetz@acm.org>
+
+package Bugzilla::Auth::DB;
+
+use strict;
+
+use Bugzilla::Config;
+use Bugzilla::Constants;
+use Bugzilla::Util;
+
+sub authenticate {
+    my ($class, $username, $passwd) = @_;
+
+    return (AUTH_NODATA) unless defined $username && defined $passwd;
+
+    # We're just testing against the db: any value is ok
+    trick_taint($username);
+
+    my $userid = $class->get_id_from_username($username);
+    return (AUTH_LOGINFAILED) unless defined $userid;
+
+    return (AUTH_LOGINFAILED, $userid) 
+        unless $class->check_password($userid, $passwd);
+
+    # The user's credentials are okay, so delete any outstanding
+    # password tokens they may have generated.
+    require Bugzilla::Token;
+    Bugzilla::Token::DeletePasswordTokens($userid, "user_logged_in");
+
+    # Account may have been disabled
+    my $disabledtext = $class->get_disabled($userid);
+    return (AUTH_DISABLED, $userid, $disabledtext)
+      if $disabledtext ne '';
+
+    return (AUTH_OK, $userid);
+}
+
+sub can_edit { return 1; }
+
+sub get_id_from_username {
+    my ($class, $username) = @_;
+    my $dbh = Bugzilla->dbh;
+    my $sth = $dbh->prepare_cached("SELECT userid FROM profiles " .
+                                   "WHERE login_name=?");
+    my ($userid) = $dbh->selectrow_array($sth, undef, $username);
+    return $userid;
+}
+
+sub get_disabled {
+    my ($class, $userid) = @_;
+    my $dbh = Bugzilla->dbh;
+    my $sth = $dbh->prepare_cached("SELECT disabledtext FROM profiles " .
+                                   "WHERE userid=?");
+    my ($text) = $dbh->selectrow_array($sth, undef, $userid);
+    return $text;
+}
+
+sub check_password {
+    my ($class, $userid, $passwd) = @_;
+    my $dbh = Bugzilla->dbh;
+    my $sth = $dbh->prepare_cached("SELECT cryptpassword FROM profiles " .
+                                   "WHERE userid=?");
+    my ($realcryptpwd) = $dbh->selectrow_array($sth, undef, $userid);
+
+    # Get the salt from the user's crypted password.
+    my $salt = $realcryptpwd;
+
+    # Using the salt, crypt the password the user entered.
+    my $enteredCryptedPassword = crypt($passwd, $salt);
+
+    return $enteredCryptedPassword eq $realcryptpwd;
+}
+
+sub change_password {
+    my ($class, $userid, $password) = @_;
+    my $dbh = Bugzilla->dbh;
+    my $cryptpassword = Crypt($password);
+    $dbh->do("UPDATE profiles SET cryptpassword = ? WHERE userid = ?", 
+             undef, $cryptpassword, $userid);
+}
+
+1;
+
+__END__
+
+=head1 NAME
+
+Bugzilla::Auth::DB - database authentication for Bugzilla
+
+=head1 SUMMARY
+
+This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for
+Bugzilla, which logs the user in using the password stored in the C<profiles>
+table. This is the most commonly used authentication module.
+
+=head1 SEE ALSO
+
+L<Bugzilla::Auth>
Property changes on: vendor/bugzilla/current/Bugzilla/Auth/DB.pm
___________________________________________________________________
Name: svn:eol-style
   + native

Added: vendor/bugzilla/current/Bugzilla/Auth/LDAP.pm
--- vendor/bugzilla/current/Bugzilla/Auth/LDAP.pm	2005-10-25 14:03:20 UTC (rev 18767)
+++ vendor/bugzilla/current/Bugzilla/Auth/LDAP.pm	2005-10-25 15:05:06 UTC (rev 18768)
@@ -0,0 +1,185 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Terry Weissman <terry@mozilla.org>
+#                 Dan Mosedale <dmose@mozilla.org>
+#                 Joe Robins <jmrobins@tgix.com>
+#                 Dave Miller <justdave@syndicomm.com>
+#                 Christopher Aillon <christopher@aillon.com>
+#                 Gervase Markham <gerv@gerv.net>
+#                 Christian Reis <kiko@async.com.br>
+#                 Bradley Baetz <bbaetz@acm.org>
+
+package Bugzilla::Auth::LDAP;
+
+use strict;
+
+use Bugzilla::Config;
+use Bugzilla::Constants;
+
+use Net::LDAP;
+
+sub authenticate {
+    my ($class, $username, $passwd) = @_;
+
+    # If no password was provided, then fail the authentication.
+    # While it may be valid to not have an LDAP password, when you
+    # bind without a password (regardless of the binddn value), you
+    # will get an anonymous bind.  I do not know of a way to determine
+    # whether a bind is anonymous or not without making changes to the
+    # LDAP access control settings
+    return (AUTH_NODATA) unless $username && $passwd;
+
+    # We need to bind anonymously to the LDAP server.  This is
+    # because we need to get the Distinguished Name of the user trying
+    # to log in.  Some servers (such as iPlanet) allow you to have unique
+    # uids spread out over a subtree of an area (such as "People"), so
+    # just appending the Base DN to the uid isn't sufficient to get the
+    # user's DN.  For servers which don't work this way, there will still
+    # be no harm done.
+    my $LDAPserver = Param("LDAPserver");
+    if ($LDAPserver eq "") {
+        return (AUTH_ERROR, undef, "server_not_defined");
+    }
+
+    my $LDAPport = "389";  # default LDAP port
+    if($LDAPserver =~ /:/) {
+        ($LDAPserver, $LDAPport) = split(":",$LDAPserver);
+    }
+    my $LDAPconn = Net::LDAP->new($LDAPserver, port => $LDAPport, version => 3);
+    if(!$LDAPconn) {
+        return (AUTH_ERROR, undef, "connect_failed");
+    }
+
+    my $mesg;
+    if (Param("LDAPbinddn")) {
+        my ($LDAPbinddn,$LDAPbindpass) = split(":",Param("LDAPbinddn"));
+        $mesg = $LDAPconn->bind($LDAPbinddn, password => $LDAPbindpass);
+    }
+    else {
+        $mesg = $LDAPconn->bind();
+    }
+    if($mesg->code) {
+        return (AUTH_ERROR, undef,
+                "connect_failed",
+                { errstr => $mesg->error });
+    }
+
+    # We've got our anonymous bind;  let's look up this user.
+    $mesg = $LDAPconn->search( base   => Param("LDAPBaseDN"),
+                               scope  => "sub",
+                               filter => '(&(' . Param("LDAPuidattribute") . "=$username)" . Param("LDAPfilter") . ')',
+                               attrs  => ['dn'],
+                             );
+    return (AUTH_LOGINFAILED, undef, "lookup_failure")
+        unless $mesg->count;
+
+    # Now we get the DN from this search.
+    my $userDN = $mesg->shift_entry->dn;
+
+    # Now we attempt to bind as the specified user.
+    $mesg = $LDAPconn->bind( $userDN, password => $passwd);
+
+    return (AUTH_LOGINFAILED) if $mesg->code;
+
+    # And now we're going to repeat the search, so that we can get the
+    # mail attribute for this user.
+    $mesg = $LDAPconn->search( base   => Param("LDAPBaseDN"),
+                               scope  => "sub",
+                               filter => '(&(' . Param("LDAPuidattribute") . "=$username)" . Param("LDAPfilter") . ')',
+                             );
+    my $user_entry = $mesg->shift_entry if !$mesg->code && $mesg->count;
+    if(!$user_entry || !$user_entry->exists(Param("LDAPmailattribute"))) {
+        return (AUTH_ERROR, undef,
+                "cannot_retreive_attr",
+                { attr => Param("LDAPmailattribute") });
+    }
+
+    # get the mail attribute
+    $username = $user_entry->get_value(Param("LDAPmailattribute"));
+    # OK, so now we know that the user is valid. Lets try finding them in the
+    # Bugzilla database
+
+    # XXX - should this part be made more generic, and placed in
+    # Bugzilla::Auth? Lots of login mechanisms may have to do this, although
+    # until we actually get some more, its hard to know - BB
+
+    my $dbh = Bugzilla->dbh;
+    my $sth = $dbh->prepare_cached("SELECT userid, disabledtext " .
+                                   "FROM profiles " .
+                                   "WHERE login_name=?");
+    my ($userid, $disabledtext) =
+      $dbh->selectrow_array($sth,
+                            undef,
+                            $username);
+
+    # If the user doesn't exist, then they need to be added
+    unless ($userid) {
+        # We'll want the user's name for this.
+        my $userRealName = $user_entry->get_value("displayName");
+        if($userRealName eq "") {
+            $userRealName = $user_entry->get_value("cn");
+        }
+        &::InsertNewUser($username, $userRealName);
+
+        ($userid, $disabledtext) = $dbh->selectrow_array($sth,
+                                                         undef,
+                                                         $username);
+        return (AUTH_ERROR, $userid, "no_userid")
+          unless $userid;
+    }
+
+    # we're done, so disconnect
+    $LDAPconn->unbind;
+
+    # Test for disabled account
+    return (AUTH_DISABLED, $userid, $disabledtext)
+      if $disabledtext ne '';
+
+    # If we get to here, then the user is allowed to login, so we're done!
+    return (AUTH_OK, $userid);
+}
+
+sub can_edit { return 0; }
+
+1;
+
+__END__
+
+=head1 NAME
+
+Bugzilla::Auth::LDAP - LDAP based authentication for Bugzilla
+
+This is an L<authentication module|Bugzilla::Auth/"AUTHENTICATION"> for
+Bugzilla, which logs the user in using an LDAP directory.
+
+=head1 DISCLAIMER
+
+B<This module is experimental>. It is poorly documented, and not very flexible.
+Search L<http://bugzilla.mozilla.org/> for a list of known LDAP bugs.
+
+None of the core Bugzilla developers, nor any of the large installations, use
+this module, and so it has received less testing. (In fact, this iteration
+hasn't been tested at all)
+
+Patches are accepted.
+
+=head1 SEE ALSO
+
+L<Bugzilla::Auth>
Property changes on: vendor/bugzilla/current/Bugzilla/Auth/LDAP.pm
___________________________________________________________________
Name: svn:eol-style
   + native

Added: vendor/bugzilla/current/Bugzilla/Auth.pm
--- vendor/bugzilla/current/Bugzilla/Auth.pm	2005-10-25 14:03:20 UTC (rev 18767)
+++ vendor/bugzilla/current/Bugzilla/Auth.pm	2005-10-25 15:05:06 UTC (rev 18768)
@@ -0,0 +1,254 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Bradley Baetz <bbaetz@acm.org>
+
+package Bugzilla::Auth;
+
+use strict;
+
+use Bugzilla::Config;
+use Bugzilla::Constants;
+
+# 'inherit' from the main loginmethod
+BEGIN {
+    my $loginmethod = Param("loginmethod");
+    if ($loginmethod =~ /^([A-Za-z0-9_\.\-]+)$/) {
+        $loginmethod = $1;
+    }
+    else {
+        die "Badly-named loginmethod '$loginmethod'";
+    }
+    require "Bugzilla/Auth/" . $loginmethod . ".pm";
+
+    our @ISA;
+    push (@ISA, "Bugzilla::Auth::" . $loginmethod);
+}
+
+# PRIVATE
+
+# Returns the network address for a given ip
+sub get_netaddr {
+    my $ipaddr = shift;
+
+    # Check for a valid IPv4 addr which we know how to parse
+    if (!$ipaddr || $ipaddr !~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/) {
+        return undef;
+    }
+
+    my $addr = unpack("N", pack("CCCC", split(/\./, $ipaddr)));
+
+    my $maskbits = Param('loginnetmask');
+
+    $addr >>= (32-$maskbits);
+    $addr <<= (32-$maskbits);
+    return join(".", unpack("CCCC", pack("N", $addr)));
+}
+
+1;
+
+__END__
+
+=head1 NAME
+
+Bugzilla::Auth - Authentication handling for Bugzilla users
+
+=head1 DESCRIPTION
+
+Handles authentication for Bugzilla users.
+
+Authentication from Bugzilla involves two sets of modules. One set is
+used to obtain the data (from CGI, email, etc), and the other set uses
+this data to authenticate against the datasource (the Bugzilla DB, LDAP,
+cookies, etc).
+
+The handlers for the various types of authentication
+(DB/LDAP/cookies/etc) provide the actual code for each specific method
+of authentication.
+
+The source modules (currently, only
+L<Bugzilla::Auth::CGI|Bugzilla::Auth::CGI>) then use those methods to do
+the authentication.
+
+I<Bugzilla::Auth> itself inherits from the default authentication handler,
+identified by the I<loginmethod> param.
+
+=head1 METHODS
+
+C<Bugzilla::Auth> contains several helper methods to be used by
+authentication or login modules.
+
+=over 4
+
+=item C<Bugzilla::Auth::get_netaddr($ipaddr)>
+
+Given an ip address, this returns the associated network address, using
+C<Param('loginnetmask')> as the netmask. This can be used to obtain data
+in order to restrict weak authentication methods (such as cookies) to
+only some addresses.
+
+=back
+
+=head1 AUTHENTICATION
+
+Authentication modules check a user's credentials (username, password,
+etc) to verify who the user is.
+
+=head2 METHODS
+
+=over 4
+
+=item C<authenticate($username, $pass)>
+
+This method is passed a username and a password, and returns a list
+containing up to four return values, depending on the results of the
+authentication.
+
+The first return value is one of the status codes defined in
+L<Bugzilla::Constants|Bugzilla::Constants> and described below.  The
+rest of the return values are status code-specific and are explained in
+the status code descriptions.
+
+=over 4
+
+=item C<AUTH_OK>
+
+Authentication succeeded. The second variable is the userid of the new
+user.
+
+=item C<AUTH_NODATA>
+
+Insufficient login data was provided by the user. This may happen in several
+cases, such as cookie authentication when the cookie is not present.
+
+=item C<AUTH_ERROR>
+
+An error occurred when trying to use the login mechanism. The second return
+value may contain the Bugzilla userid, but will probably be C<undef>,
+signifiying that the userid is unknown. The third value is a tag describing
+the error used by the authentication error templates to print a description
+to the user. The optional fourth argument is a hashref of values used as part
+of the tag's error descriptions.
+
+This error template must have a name/location of
+I<account/auth/C<lc(authentication-type)>-error.html.tmpl>.
+
+=item C<AUTH_LOGINFAILED>
+
+An incorrect username or password was given. Note that for security reasons,
+both cases return the same error code. However, in the case of a valid
+username, the second argument may be the userid. The authentication
[truncated at 1000 lines; 163053 more skipped]