diff options
-rwxr-xr-x | LedgerSMB/Form.pm | 24 | ||||
-rwxr-xr-x | LedgerSMB/Session/DB.pm | 66 | ||||
-rwxr-xr-x | LedgerSMB/User.pm | 54 | ||||
-rwxr-xr-x | bin/login.pl | 1 | ||||
-rwxr-xr-x | menu.pl | 9 | ||||
-rwxr-xr-x | sql/Pg-central.sql | 2 |
6 files changed, 97 insertions, 59 deletions
diff --git a/LedgerSMB/Form.pm b/LedgerSMB/Form.pm index d514adf7..347f0c78 100755 --- a/LedgerSMB/Form.pm +++ b/LedgerSMB/Form.pm @@ -272,8 +272,6 @@ sub header { $self->{titlebar} = ($self->{title}) ? "$self->{title} - $self->{titlebar}" : $self->{titlebar}; - $self->set_cookie($init); - print qq|Content-Type: text/html\n\n <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> @@ -295,28 +293,6 @@ sub header { $self->{header} = 1; } - -sub set_cookie { - - my ($self, $init) = @_; - - $self->{timeout} = ($self->{timeout} > 0) ? $self->{timeout} : 3600; - my $t = ($self->{endsession}) ? time : time + $self->{timeout}; - - if ($ENV{HTTP_USER_AGENT}) { - - my @d = split / +/, scalar gmtime($t); - my $today = "$d[0], $d[2]-$d[1]-$d[4] $d[3] GMT"; - - if ($init) { - $self->{sessionid} = time; - } - - print qq|Set-Cookie: LedgerSMB-$self->{login}=$self->{sessionid}; expires=$today; path=/;\n| if $self->{login}; - } -} - - sub redirect { my ($self, $msg) = @_; diff --git a/LedgerSMB/Session/DB.pm b/LedgerSMB/Session/DB.pm index 1f215b13..c38d1de1 100755 --- a/LedgerSMB/Session/DB.pm +++ b/LedgerSMB/Session/DB.pm @@ -23,6 +23,9 @@ # create - creates a new session, writes cookie upon success # # destroy - destroys session +# +# password_check - compares the password with the stored cryted password +# (ver. < 1.2) and the md5 one (ver. >= 1.2) #==================================================================== package Session; @@ -112,8 +115,8 @@ sub session_create { $deleteExisting->execute($login, "$myconfig{timeout} seconds") || $form->dberror(__FILE__.':'.__LINE__.': Delete from session: '); - #doing the md5 and random stuff in the db so that LedgerSMB won't - #require new perl modules (Digest::MD5 and a good random generator) + #doing the random stuff in the db so that LedgerSMB won't + #require a good random generator - maybe this should be reviewed, pgsql's isn't great either $fetchSequence->execute() || $form->dberror(__FILE__.':'.__LINE__.': Fetch sequence id: '); my ($newSessionID, $newToken) = $fetchSequence->fetchrow_array; @@ -134,11 +137,6 @@ sub session_create { sub session_destroy { - # Under the current architecture, this function is a bit problematic - # %myconfig is often not defined when this function needs to be called. - # which means that the db connection parameters are not available. - # moving user prefs and the session table into a central db will solve this issue - my ($form) = @_; my $login = $form->{login}; @@ -155,4 +153,58 @@ sub session_destroy { } +sub password_check { + + use Digest::MD5; + + my ($form, $username, $password) = @_; + + # use the central database handle + my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH}; + + my $fetchPassword = $dbh->prepare("SELECT uc.password, uc.crypted_password + FROM users as u, users_conf as uc + WHERE u.username = ? + AND u.id = uc.id;"); + + $fetchPassword->execute($username) || $form->dberror(__FILE__.':'.__LINE__.': Fetching password : '); + + my ($md5Password, $cryptPassword) = $fetchPassword->fetchrow_array; + + if ($cryptPassword){ + #First time login from old system, check crypted password + + if ((crypt $password, substr($username, 0, 2)) eq $cryptPassword) { + + #password was good, convert to md5 password and null crypted + my $updatePassword = $dbh->prepare("UPDATE users_conf + SET password = md5(?), + crypted_password = null + FROM users + WHERE users_conf.id = users.id + AND users.username = ?;"); + + $updatePassword->execute($password, $username) || $form->dberror(__FILE__.':'.__LINE__.': Converting password : '); + + return 1; + + } else { + return 0; #password failed + } + + }elsif ($md5Password){ + + if ($md5Password ne (Digest::MD5::md5_hex $password) ) { + return 0; + } + else{ + return 1; + } + + } else { + #both the md5Password and cryptPasswords were blank + return 0; + } +} + 1; diff --git a/LedgerSMB/User.pm b/LedgerSMB/User.pm index 18f4e8d9..a020affb 100755 --- a/LedgerSMB/User.pm +++ b/LedgerSMB/User.pm @@ -33,6 +33,7 @@ package LedgerSMB::User; use LedgerSMB::Sysconfig; +use LedgerSMB::Session; use Data::Dumper; sub new { @@ -48,12 +49,12 @@ sub new { # for now, this is querying the table directly... ugly my $fetchUserPrefs = $dbh->prepare("SELECT acs, address, businessnumber, company, countrycode, currency, - dateformat, dbconnect, dbdriver, - dbhost, dbname, dboptions, dbpasswd, - dbport, dbuser, email, fax, menuwidth, - name, numberformat, password, print, - printer, role, sid, signature, stylesheet, - tel, templates, timeout, vclimit, u.username + dateformat, dbdriver, dbhost, dbname, + dboptions, dbpasswd, dbport, dbuser, + email, fax, menuwidth, name, numberformat, + password, print, printer, role, sid, + signature, stylesheet, tel, templates, + timeout, vclimit, u.username FROM users_conf as uc, users as u WHERE u.username = ? AND u.id = uc.id;"); @@ -66,6 +67,16 @@ sub new { $self->{$key} = $value; } + chomp($self->{dbport}); + chomp($self->{dbname}); + chomp($self->{dbhost}); + + if(! int($self->{dbport})){#in case there's a space or junk in the dbport + $self->{dbport} = '5432'; + } + + $self->{dbconnect} = 'dbi:Pg:dbname='.$self->{dbname}.';host='.$self->{dbhost}.';port='.$self->{dbport}; + if($self->{username}){ $self->{login} = $login; } @@ -113,12 +124,12 @@ sub fetch_config { # for now, this is querying the table directly... ugly my $fetchUserPrefs = $dbh->prepare("SELECT acs, address, businessnumber, company, countrycode, currency, - dateformat, dbconnect, dbdriver, - dbhost, dbname, dboptions, dbpasswd, - dbport, dbuser, email, fax, menuwidth, - name, numberformat, password, print, - printer, role, sid, signature, stylesheet, - tel, templates, timeout, vclimit + dateformat, dbdriver, dbhost, dbname, + dboptions, dbpasswd, dbport, dbuser, + email, fax, menuwidth, name, numberformat, + password, print, printer, role, sid, + signature, stylesheet, tel, templates, + timeout, vclimit, u.username FROM users_conf as uc, users as u WHERE u.username = ? AND u.id = uc.id;"); @@ -130,20 +141,25 @@ sub fetch_config { while ( my ($key, $value) = each(%{$userHashRef}) ) { $myconfig{$key} = $value; } + + if(! int($myconfig{'dbport'})){#in case there's a space or junk in the dbport + $myconfig{'dbport'} = '5432'; + } + + $myconfig{'dbconnect'} = 'dbi:Pg:dbname='.$myconfig{'dbname'}.';host='.$myconfig{'dbhost'}.';port='.$myconfig{'dbport'}; } return \%myconfig; } sub login { - use Digest::MD5; my ($self, $form) = @_; my $rc = -1; if ($self->{login} ne "") { - if ($self->{password} ne (Digest::MD5::md5_hex $form->{password}) ) { + if (! Session::password_check($form, $form->{login}, $form->{password})) { return -1; } @@ -719,7 +735,7 @@ sub save_member { my $userConfUpdate = $dbh->prepare("UPDATE users_conf SET acs = ?, address = ?, businessnumber = ?, company = ?, countrycode = ?, currency = ?, - dateformat = ?, dbconnect = ?, dbdriver = ?, + dateformat = ?, dbdriver = ?, dbhost = ?, dbname = ?, dboptions = ?, dbpasswd = ?, dbport = ?, dbuser = ?, email = ?, fax = ?, menuwidth = ?, @@ -732,7 +748,7 @@ sub save_member { $userConfUpdate->execute($self->{acs}, $self->{address}, $self->{businessnumber}, $self->{company}, $self->{countrycode}, $self->{currency}, - $self->{dateformat}, $self->{dbconnect}, $self->{dbdriver}, + $self->{dateformat}, $self->{dbdriver}, $self->{dbhost}, $self->{dbname}, $self->{dboptions}, $self->{dbpasswd}, $self->{dbport}, $self->{dbuser}, $self->{email}, $self->{fax}, $self->{menuwidth}, @@ -748,7 +764,7 @@ sub save_member { my $userConfInsert = $dbh->prepare("INSERT INTO users_conf(acs, address, businessnumber, company, countrycode, currency, - dateformat, dbconnect, dbdriver, + dateformat, dbdriver, dbhost, dbname, dboptions, dbpasswd, dbport, dbuser, email, fax, menuwidth, name, numberformat, print, printer, role, @@ -756,11 +772,11 @@ sub save_member { timeout, vclimit, id, password) VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, - ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, md5(?));"); + ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, md5(?));"); $userConfInsert->execute($self->{acs}, $self->{address}, $self->{businessnumber}, $self->{company}, $self->{countrycode}, $self->{currency}, - $self->{dateformat}, $self->{dbconnect}, $self->{dbdriver}, + $self->{dateformat}, $self->{dbdriver}, $self->{dbhost}, $self->{dbname}, $self->{dboptions}, $self->{dbpasswd}, $self->{dbport}, $self->{dbuser}, $self->{email}, $self->{fax}, $self->{menuwidth}, diff --git a/bin/login.pl b/bin/login.pl index a1f225d8..90de3d48 100755 --- a/bin/login.pl +++ b/bin/login.pl @@ -337,6 +337,7 @@ sub login { } } + Session::session_create($form); $form->redirect; } @@ -150,7 +150,6 @@ if ($form->{action}) { 1; # end - sub check_password { if ($myconfig{password}) { @@ -158,7 +157,7 @@ sub check_password { require "bin/pw.pl"; if ($form->{password}) { - if ($myconfig{password} ne (Digest::MD5::md5_hex $form->{password})) { + if (! Session::password_check($form, $form->{login}, $form->{password})) { if ($ENV{HTTP_USER_AGENT}) { &getpassword; } else { @@ -178,12 +177,6 @@ sub check_password { $cookie{$name} = $value; } - if ($form->{action} ne 'display') { - if ((! $cookie{"LedgerSMB-$form->{login}"}) || $cookie{"LedgerSMB-$form->{login}"} ne $form->{sessionid}) { - &getpassword(1); - exit; - } - } #check for valid session if(!Session::session_check($cookie{"LedgerSMB"}, $form)){ &getpassword(1); diff --git a/sql/Pg-central.sql b/sql/Pg-central.sql index 804bf965..1b9c755b 100755 --- a/sql/Pg-central.sql +++ b/sql/Pg-central.sql @@ -14,7 +14,6 @@ CREATE TABLE users_conf(id integer primary key references users(id) deferrable i countrycode text, currency text, dateformat text, - dbconnect text, dbdriver text default 'Pg', dbhost text default 'localhost', dbname text, @@ -28,6 +27,7 @@ CREATE TABLE users_conf(id integer primary key references users(id) deferrable i name text, numberformat text, password varchar(32) check(length(password) = 32), + crypted_password text, print text, printer text, role text, |