summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYorhel <git@yorhel.nl>2009-07-30 10:17:16 +0200
committerYorhel <git@yorhel.nl>2009-07-30 10:17:16 +0200
commitd02c9f73c8f6896bc6ed7ffc2b4a5782586c2589 (patch)
tree5306171b1f95b776afdf2a077a0fe2f86e4351d8
parent54ff8e3219e22b24640b2d5273c2a635ee6976da (diff)
Util::Auth: check cookie for sanity and delete incorrect cookies
This fixes a 500 error when the cookie was longer than 40 bytes but the characters after the 40th byte aren't a number. (i.e. the cookies of the previous auth system) This will also purge the cookie from the user's browser when dbSessionCheck() returns false. (There's no sense in keeping it in such a case)
-rw-r--r--lib/VNDB/Util/Auth.pm19
1 files changed, 14 insertions, 5 deletions
diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm
index 00700e6e..519e5523 100644
--- a/lib/VNDB/Util/Auth.pm
+++ b/lib/VNDB/Util/Auth.pm
@@ -20,10 +20,12 @@ sub authInit {
$self->{_auth} = undef;
my $cookie = $self->reqCookie('vndb_auth');
- return 0 if !$cookie || length($cookie) < 41;
+ return 0 if !$cookie;
+ return _rmcookie($self) if length($cookie) < 41;
my $token = substr($cookie, 0, 40);
my $uid = substr($cookie, 40);
- $self->{_auth} = $self->dbUserGet(uid => $uid, what => 'mymessages')->[0] if $self->dbSessionCheck($uid, $token);
+ return _rmcookie($self) if $uid !~ /^\d+$/ || !$self->dbSessionCheck($uid, $token);
+ $self->{_auth} = $self->dbUserGet(uid => $uid, what => 'mymessages')->[0];
}
@@ -63,7 +65,7 @@ sub authLogout {
}
$self->resRedirect('/', 'temp');
- $self->resHeader('Set-Cookie', "vndb_auth= ; expires=Sat, 01-Jan-2000 00:00:00 GMT; path=/; domain=$self->{cookie_domain}");
+ _rmcookie($self);
}
@@ -95,11 +97,11 @@ sub _authCheck {
my $d = $self->dbUserGet(username => $user, what => 'mymessages')->[0];
return 0 if !defined $d->{id} || !$d->{rank};
- if (_authEncryptPass($self, $pass, $d->{salt}, 1) eq $d->{passwd}) {
+ if(_authEncryptPass($self, $pass, $d->{salt}, 1) eq $d->{passwd}) {
$self->{_auth} = $d;
return 1;
}
- if (md5($pass) eq $d->{passwd}) {
+ if(md5($pass) eq $d->{passwd}) {
$self->{_auth} = $d;
my %o;
($o{passwd}, $o{salt}) = authPreparePass($self, $pass);
@@ -132,5 +134,12 @@ sub authPreparePass{
}
+# removes the vndb_auth cookie
+sub _rmcookie {
+ $_[0]->resHeader('Set-Cookie',
+ "vndb_auth= ; expires=Sat, 01-Jan-2000 00:00:00 GMT; path=/; domain=$_[0]->{cookie_domain}");
+}
+
+
1;