From d02c9f73c8f6896bc6ed7ffc2b4a5782586c2589 Mon Sep 17 00:00:00 2001
From: Yorhel <git@yorhel.nl>
Date: Thu, 30 Jul 2009 10:17:16 +0200
Subject: Util::Auth: check cookie for sanity and delete incorrect cookies

This fixes a 500 error when the cookie was longer than 40 bytes but the
characters after the 40th byte aren't a number. (i.e. the cookies of the
previous auth system)

This will also purge the cookie from the user's browser when
dbSessionCheck() returns false. (There's no sense in keeping it in such
a case)
---
 lib/VNDB/Util/Auth.pm | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm
index 00700e6e..519e5523 100644
--- a/lib/VNDB/Util/Auth.pm
+++ b/lib/VNDB/Util/Auth.pm
@@ -20,10 +20,12 @@ sub authInit {
   $self->{_auth} = undef;
 
   my $cookie = $self->reqCookie('vndb_auth');
-  return 0 if !$cookie || length($cookie) < 41;
+  return 0 if !$cookie;
+  return _rmcookie($self) if length($cookie) < 41;
   my $token = substr($cookie, 0, 40);
   my $uid  = substr($cookie, 40);
-  $self->{_auth} = $self->dbUserGet(uid => $uid, what => 'mymessages')->[0] if $self->dbSessionCheck($uid, $token);
+  return _rmcookie($self) if $uid !~ /^\d+$/ || !$self->dbSessionCheck($uid, $token);
+  $self->{_auth} = $self->dbUserGet(uid => $uid, what => 'mymessages')->[0];
 }
 
 
@@ -63,7 +65,7 @@ sub authLogout {
   }
 
   $self->resRedirect('/', 'temp');
-  $self->resHeader('Set-Cookie', "vndb_auth= ; expires=Sat, 01-Jan-2000 00:00:00 GMT; path=/; domain=$self->{cookie_domain}");
+  _rmcookie($self);
 }
 
 
@@ -95,11 +97,11 @@ sub _authCheck {
   my $d = $self->dbUserGet(username => $user, what => 'mymessages')->[0];
   return 0 if !defined $d->{id} || !$d->{rank};
 
-  if (_authEncryptPass($self, $pass, $d->{salt}, 1) eq $d->{passwd}) {
+  if(_authEncryptPass($self, $pass, $d->{salt}, 1) eq $d->{passwd}) {
     $self->{_auth} = $d;
     return 1;
   }
-  if (md5($pass) eq $d->{passwd}) {
+  if(md5($pass) eq $d->{passwd}) {
     $self->{_auth} = $d;
     my %o;
     ($o{passwd}, $o{salt}) = authPreparePass($self, $pass);
@@ -132,5 +134,12 @@ sub authPreparePass{
 }
 
 
+# removes the vndb_auth cookie
+sub _rmcookie {
+  $_[0]->resHeader('Set-Cookie',
+    "vndb_auth= ; expires=Sat, 01-Jan-2000 00:00:00 GMT; path=/; domain=$_[0]->{cookie_domain}");
+}
+
+
 1;
 
-- 
cgit v1.2.3