[ros-diffs] [cfinck] 38655: - It actually wasn't a very good idea to authenticate against the MD5 password hash instead of the password itself. This didn't really improve security, but just made things more difficult for the user. Change that, so the web service and rosautotest expect a password in the "rosautotest.ini" file now. - Read the "rosautotest.ini" from the application's directory instead of the Windows directory. - Little adjustmensts here and there

Author: cfinck Date: Thu Jan 8 17:09:10 2009 New Revision: 38655 URL: http://svn.reactos.org/svn/reactos?rev=38655&view=rev Log: - It actually wasn't a very good idea to authenticate against the MD5 password hash instead of the password itself. This didn't really improve security, but just made things more difficult for the user. Change that, so the web service and rosautotest expect a password in the "rosautotest.ini" file now. - Read the "rosautotest.ini" from the application's directory instead of the Windows directory. - Little adjustmensts here and there Modified: trunk/rostests/rosautotest/main.c trunk/rostests/rosautotest/webservice.c trunk/web/reactos.org/htdocs/testman/webservice/index.php Modified: trunk/rostests/rosautotest/main.c URL: http://svn.reactos.org/svn/reactos/trunk/rostests/rosautotest/main.c?rev=38… ============================================================================== --- trunk/rostests/rosautotest/main.c [iso-8859-1] (original) +++ trunk/rostests/rosautotest/main.c [iso-8859-1] Thu Jan 8 17:09:10 2009 @@ -53,22 +53,22 @@ } /** - * Gets the username and password hash from the "rosautotest.ini" file if the user enabled submitting the results to the web service. + * Gets the username and password from the "rosautotest.ini" file if the user enabled submitting the results to the web service. * The "rosautotest.ini" file should look like this: * * [Login] * UserName=TestMan - * PasswordHash=1234567890abcdef1234567890abcdef + * Password=TestPassword */ static BOOL IntGetConfigurationValues() { - const CHAR PasswordHashProp[] = "&passwordhash="; + const CHAR PasswordProp[] = "&password="; const CHAR UserNameProp[] = "&username="; DWORD DataLength; DWORD Length; - PCHAR PasswordHash; + PCHAR Password; PCHAR UserName; WCHAR ConfigFile[MAX_PATH]; @@ -76,13 +76,17 @@ if(!AppOptions.Submit) return TRUE; - /* Build the path to the configuration file */ - Length = GetWindowsDirectoryW(ConfigFile, MAX_PATH); + /* Build the path to the configuration file from the application's path */ + GetModuleFileNameW(NULL, ConfigFile, MAX_PATH); + Length = wcsrchr(ConfigFile, '\\') - ConfigFile; wcscpy(&ConfigFile[Length], L"\\rosautotest.ini"); /* Check if it exists */ if(GetFileAttributesW(ConfigFile) == INVALID_FILE_ATTRIBUTES) + { + StringOut("Missing \"rosautotest.ini\" configuration file!\n"); return FALSE; + } /* Get the required length of the authentication request string */ DataLength = sizeof(UserNameProp) - 1; @@ -97,12 +101,12 @@ /* Some characters might need to be escaped and an escaped character takes 3 bytes */ DataLength += 3 * Length; - DataLength += sizeof(PasswordHashProp) - 1; - Length = IntGetINIValueA(L"Login", L"PasswordHash", ConfigFile, &PasswordHash); + DataLength += sizeof(PasswordProp) - 1; + Length = IntGetINIValueA(L"Login", L"Password", ConfigFile, &Password); if(!Length) { - StringOut("PasswordHash is missing in the configuration file\n"); + StringOut("Password is missing in the configuration file\n"); return FALSE; } @@ -114,8 +118,8 @@ strcpy(AuthenticationRequestString, UserNameProp); EscapeString(&AuthenticationRequestString[strlen(AuthenticationRequestString)], UserName); - strcat(AuthenticationRequestString, PasswordHashProp); - EscapeString(&AuthenticationRequestString[strlen(AuthenticationRequestString)], PasswordHash); + strcat(AuthenticationRequestString, PasswordProp); + EscapeString(&AuthenticationRequestString[strlen(AuthenticationRequestString)], Password); return TRUE; } Modified: trunk/rostests/rosautotest/webservice.c URL: http://svn.reactos.org/svn/reactos/trunk/rostests/rosautotest/webservice.c?… ============================================================================== --- trunk/rostests/rosautotest/webservice.c [iso-8859-1] (original) +++ trunk/rostests/rosautotest/webservice.c [iso-8859-1] Thu Jan 8 17:09:10 2009 @@ -170,6 +170,7 @@ { StringOut("Expected Test ID, but received:\n"); StringOut(Data); + StringOut("\n"); HeapFree(hProcessHeap, 0, Data); return NULL; } @@ -248,6 +249,7 @@ { StringOut("Expected Suite ID, but received:\n"); StringOut(Data); + StringOut("\n"); HeapFree(hProcessHeap, 0, Data); return NULL; } Modified: trunk/web/reactos.org/htdocs/testman/webservice/index.php URL: http://svn.reactos.org/svn/reactos/trunk/web/reactos.org/htdocs/testman/web… ============================================================================== --- trunk/web/reactos.org/htdocs/testman/webservice/index.php [iso-8859-1] (original) +++ trunk/web/reactos.org/htdocs/testman/webservice/index.php [iso-8859-1] Thu Jan 8 17:09:10 2009 @@ -24,7 +24,7 @@ // Entry point - if(!isset($_POST["username"]) || !isset($_POST["passwordhash"]) || !isset($_POST["testtype"])) + if(!isset($_POST["username"]) || !isset($_POST["password"]) || !isset($_POST["testtype"])) die("Necessary information not specified!"); // Check the login credentials @@ -38,9 +38,9 @@ die("Could not establish the DB connection"); } - $stmt = $dbh->prepare("SELECT user_id FROM " . DB_ROSCMS . ".users WHERE user_name = :username AND user_roscms_password = :passwordhash AND user_account_enabled = 'yes'"); + $stmt = $dbh->prepare("SELECT user_id FROM " . DB_ROSCMS . ".users WHERE user_name = :username AND user_roscms_password = MD5(:password) AND user_account_enabled = 'yes'"); $stmt->bindParam(":username", $_POST["username"]); - $stmt->bindParam(":passwordhash", $_POST["passwordhash"]); + $stmt->bindParam(":password", $_POST["password"]); $stmt->execute() or die("SQL failed #1"); $user_id = (int)$stmt->fetchColumn();