From 1ff34a79a44c4be7c1aec04696cd116eecd45535 Mon Sep 17 00:00:00 2001 From: tetragon Date: Wed, 22 Nov 2006 05:31:48 +0000 Subject: Adding check for determining that the requested user is the retreived user git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/trunk@680 4979c152-3d1c-0410-bac9-87ea11338e46 --- LedgerSMB/Session/DB.pm | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/LedgerSMB/Session/DB.pm b/LedgerSMB/Session/DB.pm index f69418cd..ecd87814 100755 --- a/LedgerSMB/Session/DB.pm +++ b/LedgerSMB/Session/DB.pm @@ -219,16 +219,19 @@ sub password_check { # use the central database handle my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH}; - my $fetchPassword = $dbh->prepare("SELECT uc.password, uc.crypted_password + my $fetchPassword = $dbh->prepare("SELECT u.username, uc.password, uc.crypted_password FROM users as u, users_conf as uc WHERE u.username = ? AND u.id = uc.id;"); $fetchPassword->execute($username) || $form->dberror(__FILE__.':'.__LINE__.': Fetching password : '); - my ($md5Password, $cryptPassword) = $fetchPassword->fetchrow_array; + my ($dbusername, $md5Password, $cryptPassword) = $fetchPassword->fetchrow_array; - if ($cryptPassword){ + if ($dbusername ne $username) { + # User data retrieved from db not for the requested user + return 0; + } elsif ($cryptPassword){ #First time login from old system, check crypted password if ((crypt $password, substr($username, 0, 2)) eq $cryptPassword) { @@ -250,12 +253,12 @@ sub password_check { return 0; #password failed } - }elsif ($md5Password){ + } elsif ($md5Password){ if ($md5Password ne (Digest::MD5::md5_hex $password) ) { return 0; } - else{ + else { return 1; } -- cgit v1.2.3