summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJonas Smedegaard <dr@jones.dk>2008-06-14 01:13:43 +0200
committerJonas Smedegaard <dr@jones.dk>2008-06-14 01:13:43 +0200
commit52f169ea3440eac1df07bca4ab9871840ce8f8af (patch)
tree0901f64ca271bc3f02b6c00f689e0db5b21a9bf4
parent2f1163e14125ab7e9733473f735f221eb9d1aaeb (diff)
Tighten currentbranch match.
-rw-r--r--make/git.mk2
1 files changed, 1 insertions, 1 deletions
diff --git a/make/git.mk b/make/git.mk
index b870f1b..332d82f 100644
--- a/make/git.mk
+++ b/make/git.mk
@@ -7,7 +7,7 @@ branches = $(master)
# local name of origin
origin = origin
-currentbranch := $(shell git branch | grep \* | awk '{ print $2 }')
+currentbranch := $(shell git branch | grep ^\* | awk '{ print $2 }')
noncurrentbranches = $(filter-out $(currentbranch),$(branches))
update:
t">;
  • # use the central database handle
  • my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH};
  • my $checkQuery = $dbh->prepare("SELECT u.username, s.transaction_id
  • FROM session as s, users as u
  • WHERE s.session_id = ?
  • AND s.token = ?
  • AND s.users_id = u.id
  • AND s.last_used > now() - ?::interval");
  • my $updateAge = $dbh->prepare("UPDATE session
  • SET last_used = now(),
  • transaction_id = ?
  • WHERE session_id = ?;");
  • #must be an integer
  • $sessionID =~ s/[^0-9]//g;
  • $sessionID = int $sessionID;
  • $transactionID =~ s/[^0-9]//g;
  • $transactionID = int $transactionID;
  • #must be 32 chars long and contain hex chars
  • $token =~ s/[^0-9a-f]//g;
  • $token = substr($token, 0, 32);
  • if (!$myconfig{timeout}){
  • $timeout = "1 day";
  • } else {
  • $timeout = "$myconfig{timeout} seconds";
  • }
  • $checkQuery->execute($sessionID, $token, $timeout)
  • || $form->dberror(__FILE__.':'.__LINE__.': Looking for session: ');
  • my $sessionValid = $checkQuery->rows;
  • if($sessionValid){
  • #user has a valid session cookie, now check the user
  • my ($sessionLogin, $sessionTransaction) = $checkQuery->fetchrow_array;
  • my $login = $form->{login};
  • $login =~ s/[^a-zA-Z0-9._+@-]//g;
  • if(($sessionLogin eq $login) and ($sessionTransaction eq $transactionID)){
  • #microseconds are more than random enough for transaction_id
  • my ($ignore, $newTransactionID) = gettimeofday();
  • $newTransactionID = int $newTransactionID;
  • $updateAge->execute($newTransactionID, $sessionID)
  • || $form->dberror(__FILE__.':'.__LINE__.': Updating session age: ');
  • $newCookieValue = $sessionID . ':'.$newTransactionID.':' . $token;
  • #now update the cookie in the browser
  • print qq|Set-Cookie: LedgerSMB=$newCookieValue; path=/;\n|;
  • return 1;
  • } else {
  • #something's wrong, they have the cookie, but wrong user or the wrong transaction id. Hijack attempt?
  • #destroy the session
  • my $sessionDestroy = $dbh->prepare("");
  • #delete the cookie in the browser
  • print qq|Set-Cookie: LedgerSMB=; path=/;\n|;
  • return 0;
  • }
  • } else {
  • #cookie is not valid
  • #delete the cookie in the browser
  • print qq|Set-Cookie: LedgerSMB=; path=/;\n|;
  • return 0;
  • }
  • }
  • sub session_create {
  • use Time::HiRes qw(gettimeofday);
  • #microseconds are more than random enough for transaction_id
  • my ($ignore, $newTransactionID) = gettimeofday();
  • $newTransactionID = int $newTransactionID;
  • my ($form) = @_;
  • if (! $ENV{HTTP_HOST}){
  • #don't create cookies or sessions for CLI use
  • return 1;
  • }
  • # use the central database handle
  • my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH};
  • # TODO Change this to use %myconfig
  • my $deleteExisting = $dbh->prepare("DELETE FROM session
  • USING users
  • WHERE users.username = ?
  • AND users.id = session.users_id
  • AND age(last_used) > ?::interval");
  • my $seedRandom = $dbh->prepare("SELECT setseed(?);");
  • my $fetchSequence = $dbh->prepare("SELECT nextval('session_session_id_seq'), md5(random());");
  • my $createNew = $dbh->prepare("INSERT INTO session (session_id, users_id, token, transaction_id)
  • VALUES(?, (SELECT id
  • FROM users
  • WHERE username = ?), ?, ?);");
  • # this is assuming that $form->{login} is safe, which might be a bad assumption
  • # so, I'm going to remove some chars, which might make previously valid logins invalid
  • my $login = $form->{login};
  • $login =~ s/[^a-zA-Z0-9._+@'-]//g;
  • #delete any existing stale sessions with this login if they exist
  • if (!$myconfig{timeout}){
  • $myconfig{timeout} = 86400;
  • }
  • $deleteExisting->execute($login, "$myconfig{timeout} seconds")
  • || $form->dberror(__FILE__.':'.__LINE__.': Delete from session: ');
  • #doing the random stuff in the db so that LedgerSMB won't
  • #require a good random generator - maybe this should be reviewed, pgsql's isn't great either
  • $fetchSequence->execute() || $form->dberror(__FILE__.':'.__LINE__.': Fetch sequence id: ');
  • my ($newSessionID, $newToken) = $fetchSequence->fetchrow_array;
  • #create a new session
  • $createNew->execute($newSessionID, $login, $newToken, $newTransactionID)
  • || $form->dberror(__FILE__.':'.__LINE__.': Create new session: ');
  • #reseed the random number generator
  • my $randomSeed = 1.0 * ('0.'. (time() ^ ($$ + ($$ <<15))));
  • $seedRandom->execute($randomSeed)
  • || $form->dberror(__FILE__.':'.__LINE__.': Reseed random generator: ');
  • $newCookieValue = $newSessionID . ':'.$newTransactionID.':' . $newToken;
  • #now set the cookie in the browser
  • #TODO set domain from ENV, also set path to install path
  • print qq|Set-Cookie: LedgerSMB=$newCookieValue; path=/;\n|;
  • $form->{LedgerSMB} = $newCookieValue;
  • }
  • sub session_destroy {
  • my ($form) = @_;
  • my $login = $form->{login};
  • $login =~ s/[^a-zA-Z0-9._+@'-]//g;
  • # use the central database handle
  • my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH};
  • my $deleteExisting = $dbh->prepare("DELETE FROM session
  • USING users
  • WHERE users.username = ?
  • AND users.id = session.users_id;");
  • $deleteExisting->execute($login)
  • || $form->dberror(__FILE__.':'.__LINE__.': Delete from session: ');
  • #delete the cookie in the browser
  • print qq|Set-Cookie: LedgerSMB=; path=/;\n|;
  • }
  • sub password_check {
  • use Digest::MD5;
  • my ($form, $username, $password) = @_;
  • $username =~ s/[^a-zA-Z0-9._+@-]//g;
  • # use the central database handle
  • my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH};
  • my $fetchPassword = $dbh->prepare("SELECT uc.password, uc.crypted_password
  • FROM users as u, users_conf as uc
  • WHERE u.username = ?
  • AND u.id = uc.id;");
  • $fetchPassword->execute($username) || $form->dberror(__FILE__.':'.__LINE__.': Fetching password : ');
  • my ($md5Password, $cryptPassword) = $fetchPassword->fetchrow_array;
  • if ($cryptPassword){
  • #First time login from old system, check crypted password
  • if ((crypt $password, substr($username, 0, 2)) eq $cryptPassword) {
  • #password was good, convert to md5 password and null crypted
  • my $updatePassword = $dbh->prepare("UPDATE users_conf
  • SET password = md5(?),
  • crypted_password = null
  • FROM users
  • WHERE users_conf.id = users.id
  • AND users.username = ?;");
  • $updatePassword->execute($password, $username)
  • || $form->dberror(__FILE__.':'.__LINE__.': Converting password : ');
  • return 1;
  • } else {
  • return 0; #password failed
  • }
  • }elsif ($md5Password){
  • if ($md5Password ne (Digest::MD5::md5_hex $password) ) {
  • return 0;
  • }
  • else{
  • return 1;
  • }
  • } else {
  • #both the md5Password and cryptPasswords were blank
  • return 0;
  • }
  • }
  • 1;