aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Token.pm184
1 files changed, 184 insertions, 0 deletions
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
new file mode 100644
index 000000000..cde97f87e
--- /dev/null
+++ b/Bugzilla/Token.pm
@@ -0,0 +1,184 @@
+#!/usr/bonsaitools/bin/perl -w
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code is the Bugzilla Bug Tracking System.
+#
+# The Initial Developer of the Original Code is Netscape Communications
+# Corporation. Portions created by Netscape are
+# Copyright (C) 1998 Netscape Communications Corporation. All
+# Rights Reserved.
+#
+# Contributor(s): Myk Melez <myk@mozilla.org>
+
+################################################################################
+# Module Initialization
+################################################################################
+
+# Make it harder for us to do dangerous things in Perl.
+use diagnostics;
+use strict;
+
+# Bundle the functions in this file together into the "Token" package.
+package Token;
+
+# This module requires that its caller have said "require CGI.pl" to import
+# relevant functions from that script and its companion globals.pl.
+
+################################################################################
+# Functions
+################################################################################
+
+sub IssuePasswordToken {
+ # Generates a random token, adds it to the tokens table, and sends it
+ # to the user with instructions for using it to change their password.
+
+ my ($loginname) = @_;
+
+ # Retrieve the user's ID from the database.
+ my $quotedloginname = &::SqlQuote($loginname);
+ &::SendSQL("SELECT userid FROM profiles WHERE login_name = $quotedloginname");
+ my ($userid) = &::FetchSQLData();
+
+ # Generate a unique token and insert it into the tokens table.
+ # We have to lock the tokens table before generating the token,
+ # since the database must be queried for token uniqueness.
+ &::SendSQL("LOCK TABLE tokens WRITE");
+ my $token = GenerateUniqueToken();
+ my $quotedtoken = &::SqlQuote($token);
+ my $quotedipaddr = &::SqlQuote($::ENV{'REMOTE_ADDR'});
+ &::SendSQL("INSERT INTO tokens ( userid , issuedate , token , tokentype , eventdata )
+ VALUES ( $userid , NOW() , $quotedtoken , 'password' , $quotedipaddr )");
+ &::SendSQL("UNLOCK TABLES");
+
+ # Mail the user the token along with instructions for using it.
+ MailPasswordToken($loginname, $token);
+
+}
+
+
+sub GenerateUniqueToken {
+ # Generates a unique random token. Uses &GenerateRandomPassword
+ # for the tokens themselves and checks uniqueness by searching for
+ # the token in the "tokens" table. Gives up if it can't come up
+ # with a token after about one hundred tries.
+
+ my $token;
+ my $duplicate = 1;
+ my $tries = 0;
+ while ($duplicate) {
+
+ ++$tries;
+ if ($tries > 100) {
+ &::DisplayError("Something is seriously wrong with the token generation system.");
+ exit;
+ }
+
+ $token = &::GenerateRandomPassword();
+ &::SendSQL("SELECT userid FROM tokens WHERE token = " . &::SqlQuote($token));
+ $duplicate = &::FetchSQLData();
+ }
+
+ return $token;
+
+}
+
+sub MailPasswordToken {
+ # Emails a password token to a user along with instructions for its use.
+ # Called exclusively from &IssuePasswordToken.
+
+ my ($emailaddress, $token) = @_;
+
+ my $urlbase = &::Param("urlbase");
+ my $emailsuffix = &::Param('emailsuffix');
+
+ open SENDMAIL, "|/usr/lib/sendmail -t";
+
+ print SENDMAIL qq|From: bugzilla-daemon
+To: $emailaddress$emailsuffix
+Subject: Bugzilla Change Password Request
+
+You or someone impersonating you has requested to change your Bugzilla
+password. To change your password, visit the following link:
+
+${urlbase}token.cgi?a=cfmpw&t=$token
+
+If you are not the person who made this request, or you wish to cancel
+this request, visit the following link:
+
+${urlbase}token.cgi?a=cxlpw&t=$token
+|;
+ close SENDMAIL;
+}
+
+sub Cancel {
+ # Cancels a previously issued token and notifies the system administrator.
+ # This should only happen when the user accidentally makes a token request
+ # or when a malicious hacker makes a token request on behalf of a user.
+
+ my ($token, $cancelaction) = @_;
+
+ # Quote the token for inclusion in SQL statements.
+ my $quotedtoken = &::SqlQuote($token);
+
+ # Get information about the token being cancelled.
+ &::SendSQL("SELECT issuedate , tokentype , eventdata , login_name , realname
+ FROM tokens, profiles
+ WHERE tokens.userid = profiles.userid
+ AND token = $quotedtoken");
+ my ($issuedate, $tokentype, $eventdata, $loginname, $realname) = &::FetchSQLData();
+
+ # Get the email address of the Bugzilla maintainer.
+ my $maintainer = &::Param('maintainer');
+
+ # Format the user's real name and email address into a single string.
+ my $username = $realname ? $realname . " <" . $loginname . ">" : $loginname;
+
+ # Notify the user via email about the cancellation.
+ open SENDMAIL, "|/usr/lib/sendmail -t";
+ print SENDMAIL qq|From: bugzilla-daemon
+To: $username
+Subject: "$tokentype" token cancelled
+
+A token was cancelled from $::ENV{'REMOTE_ADDR'}. This is either
+an honest mistake or the result of a malicious hack attempt.
+Take a look at the information below and forward this email
+to $maintainer if you suspect foul play.
+
+ Token: $token
+ Token Type: $tokentype
+ User: $username
+ Issue Date: $issuedate
+ Event Data: $eventdata
+
+Cancelled Because: $cancelaction
+|;
+ close SENDMAIL;
+
+ # Delete the token from the database.
+ &::SendSQL("LOCK TABLE tokens WRITE");
+ &::SendSQL("DELETE FROM tokens WHERE token = $quotedtoken");
+ &::SendSQL("UNLOCK TABLES");
+}
+
+sub HasPasswordToken {
+ # Returns a password token if the user has one. Otherwise returns 0 (false).
+
+ my ($userid) = @_;
+
+ &::SendSQL("SELECT token FROM tokens WHERE userid = $userid LIMIT 1");
+ my ($token) = &::FetchSQLData();
+
+ return $token;
+}
+
+1;