Fossil SCM
Changing the password requires a 'real' login.
Commit
8b562b90c05a0c337be2283fc4e9fb3cb5da60d4
Parent
042d6a7b98170df…
1 file changed
+54
-44
+54
-44
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -526,53 +526,63 @@ | ||
| 526 | 526 | |
| 527 | 527 | /* Deal with password-change requests */ |
| 528 | 528 | if( g.perm.Password && zPasswd |
| 529 | 529 | && (zNew1 = P("n1"))!=0 && (zNew2 = P("n2"))!=0 |
| 530 | 530 | ){ |
| 531 | - /* The user requests a password change */ | |
| 532 | - zSha1Pw = sha1_shared_secret(zPasswd, g.zLogin, 0); | |
| 533 | - if( db_int(1, "SELECT 0 FROM user" | |
| 534 | - " WHERE uid=%d" | |
| 535 | - " AND (constant_time_cmp(pw,%Q)=0" | |
| 536 | - " OR constant_time_cmp(pw,%Q)=0)", | |
| 537 | - g.userUid, zSha1Pw, zPasswd) ){ | |
| 538 | - sleep(1); | |
| 539 | - zErrMsg = | |
| 540 | - @ <p><span class="loginError"> | |
| 541 | - @ You entered an incorrect old password while attempting to change | |
| 542 | - @ your password. Your password is unchanged. | |
| 543 | - @ </span></p> | |
| 544 | - ; | |
| 545 | - }else if( fossil_strcmp(zNew1,zNew2)!=0 ){ | |
| 546 | - zErrMsg = | |
| 547 | - @ <p><span class="loginError"> | |
| 548 | - @ The two copies of your new passwords do not match. | |
| 549 | - @ Your password is unchanged. | |
| 550 | - @ </span></p> | |
| 551 | - ; | |
| 552 | - }else{ | |
| 553 | - char *zNewPw = sha1_shared_secret(zNew1, g.zLogin, 0); | |
| 554 | - char *zChngPw; | |
| 555 | - char *zErr; | |
| 556 | - db_multi_exec( | |
| 557 | - "UPDATE user SET pw=%Q WHERE uid=%d", zNewPw, g.userUid | |
| 558 | - ); | |
| 559 | - fossil_free(zNewPw); | |
| 560 | - zChngPw = mprintf( | |
| 561 | - "UPDATE user" | |
| 562 | - " SET pw=shared_secret(%Q,%Q," | |
| 563 | - " (SELECT value FROM config WHERE name='project-code'))" | |
| 564 | - " WHERE login=%Q", | |
| 565 | - zNew1, g.zLogin, g.zLogin | |
| 566 | - ); | |
| 567 | - if( login_group_sql(zChngPw, "<p>", "</p>\n", &zErr) ){ | |
| 568 | - zErrMsg = mprintf("<span class=\"loginError\">%s</span>", zErr); | |
| 569 | - fossil_free(zErr); | |
| 570 | - }else{ | |
| 571 | - redirect_to_g(); | |
| 572 | - return; | |
| 573 | - } | |
| 531 | + /* If there is not a "real" login, we cannot change any password. */ | |
| 532 | + if( g.zLogin ){ | |
| 533 | + /* The user requests a password change */ | |
| 534 | + zSha1Pw = sha1_shared_secret(zPasswd, g.zLogin, 0); | |
| 535 | + if( db_int(1, "SELECT 0 FROM user" | |
| 536 | + " WHERE uid=%d" | |
| 537 | + " AND (constant_time_cmp(pw,%Q)=0" | |
| 538 | + " OR constant_time_cmp(pw,%Q)=0)", | |
| 539 | + g.userUid, zSha1Pw, zPasswd) ){ | |
| 540 | + sleep(1); | |
| 541 | + zErrMsg = | |
| 542 | + @ <p><span class="loginError"> | |
| 543 | + @ You entered an incorrect old password while attempting to change | |
| 544 | + @ your password. Your password is unchanged. | |
| 545 | + @ </span></p> | |
| 546 | + ; | |
| 547 | + }else if( fossil_strcmp(zNew1,zNew2)!=0 ){ | |
| 548 | + zErrMsg = | |
| 549 | + @ <p><span class="loginError"> | |
| 550 | + @ The two copies of your new passwords do not match. | |
| 551 | + @ Your password is unchanged. | |
| 552 | + @ </span></p> | |
| 553 | + ; | |
| 554 | + }else{ | |
| 555 | + char *zNewPw = sha1_shared_secret(zNew1, g.zLogin, 0); | |
| 556 | + char *zChngPw; | |
| 557 | + char *zErr; | |
| 558 | + db_multi_exec( | |
| 559 | + "UPDATE user SET pw=%Q WHERE uid=%d", zNewPw, g.userUid | |
| 560 | + ); | |
| 561 | + fossil_free(zNewPw); | |
| 562 | + zChngPw = mprintf( | |
| 563 | + "UPDATE user" | |
| 564 | + " SET pw=shared_secret(%Q,%Q," | |
| 565 | + " (SELECT value FROM config WHERE name='project-code'))" | |
| 566 | + " WHERE login=%Q", | |
| 567 | + zNew1, g.zLogin, g.zLogin | |
| 568 | + ); | |
| 569 | + if( login_group_sql(zChngPw, "<p>", "</p>\n", &zErr) ){ | |
| 570 | + zErrMsg = mprintf("<span class=\"loginError\">%s</span>", zErr); | |
| 571 | + fossil_free(zErr); | |
| 572 | + }else{ | |
| 573 | + redirect_to_g(); | |
| 574 | + return; | |
| 575 | + } | |
| 576 | + } | |
| 577 | + }else{ | |
| 578 | + zErrMsg = | |
| 579 | + @ <p><span class="loginError"> | |
| 580 | + @ The password cannot be changed for this type of login. | |
| 581 | + @ The password is unchanged. | |
| 582 | + @ </span></p> | |
| 583 | + ; | |
| 574 | 584 | } |
| 575 | 585 | } |
| 576 | 586 | zIpAddr = PD("REMOTE_ADDR","nil"); /* Complete IP address for logging */ |
| 577 | 587 | zReferer = P("HTTP_REFERER"); |
| 578 | 588 | uid = login_is_valid_anonymous(zUsername, zPasswd, P("cs")); |
| @@ -699,11 +709,11 @@ | ||
| 699 | 709 | } |
| 700 | 710 | @ </div> |
| 701 | 711 | free(zCaptcha); |
| 702 | 712 | } |
| 703 | 713 | @ </form> |
| 704 | - if( g.perm.Password ){ | |
| 714 | + if( g.zLogin && g.perm.Password ){ | |
| 705 | 715 | @ <hr /> |
| 706 | 716 | @ <p>Change Password for user <b>%h(g.zLogin)</b>:</p> |
| 707 | 717 | form_begin(0, "%R/login"); |
| 708 | 718 | @ <table> |
| 709 | 719 | @ <tr><td class="login_out_label">Old Password:</td> |
| 710 | 720 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -526,53 +526,63 @@ | |
| 526 | |
| 527 | /* Deal with password-change requests */ |
| 528 | if( g.perm.Password && zPasswd |
| 529 | && (zNew1 = P("n1"))!=0 && (zNew2 = P("n2"))!=0 |
| 530 | ){ |
| 531 | /* The user requests a password change */ |
| 532 | zSha1Pw = sha1_shared_secret(zPasswd, g.zLogin, 0); |
| 533 | if( db_int(1, "SELECT 0 FROM user" |
| 534 | " WHERE uid=%d" |
| 535 | " AND (constant_time_cmp(pw,%Q)=0" |
| 536 | " OR constant_time_cmp(pw,%Q)=0)", |
| 537 | g.userUid, zSha1Pw, zPasswd) ){ |
| 538 | sleep(1); |
| 539 | zErrMsg = |
| 540 | @ <p><span class="loginError"> |
| 541 | @ You entered an incorrect old password while attempting to change |
| 542 | @ your password. Your password is unchanged. |
| 543 | @ </span></p> |
| 544 | ; |
| 545 | }else if( fossil_strcmp(zNew1,zNew2)!=0 ){ |
| 546 | zErrMsg = |
| 547 | @ <p><span class="loginError"> |
| 548 | @ The two copies of your new passwords do not match. |
| 549 | @ Your password is unchanged. |
| 550 | @ </span></p> |
| 551 | ; |
| 552 | }else{ |
| 553 | char *zNewPw = sha1_shared_secret(zNew1, g.zLogin, 0); |
| 554 | char *zChngPw; |
| 555 | char *zErr; |
| 556 | db_multi_exec( |
| 557 | "UPDATE user SET pw=%Q WHERE uid=%d", zNewPw, g.userUid |
| 558 | ); |
| 559 | fossil_free(zNewPw); |
| 560 | zChngPw = mprintf( |
| 561 | "UPDATE user" |
| 562 | " SET pw=shared_secret(%Q,%Q," |
| 563 | " (SELECT value FROM config WHERE name='project-code'))" |
| 564 | " WHERE login=%Q", |
| 565 | zNew1, g.zLogin, g.zLogin |
| 566 | ); |
| 567 | if( login_group_sql(zChngPw, "<p>", "</p>\n", &zErr) ){ |
| 568 | zErrMsg = mprintf("<span class=\"loginError\">%s</span>", zErr); |
| 569 | fossil_free(zErr); |
| 570 | }else{ |
| 571 | redirect_to_g(); |
| 572 | return; |
| 573 | } |
| 574 | } |
| 575 | } |
| 576 | zIpAddr = PD("REMOTE_ADDR","nil"); /* Complete IP address for logging */ |
| 577 | zReferer = P("HTTP_REFERER"); |
| 578 | uid = login_is_valid_anonymous(zUsername, zPasswd, P("cs")); |
| @@ -699,11 +709,11 @@ | |
| 699 | } |
| 700 | @ </div> |
| 701 | free(zCaptcha); |
| 702 | } |
| 703 | @ </form> |
| 704 | if( g.perm.Password ){ |
| 705 | @ <hr /> |
| 706 | @ <p>Change Password for user <b>%h(g.zLogin)</b>:</p> |
| 707 | form_begin(0, "%R/login"); |
| 708 | @ <table> |
| 709 | @ <tr><td class="login_out_label">Old Password:</td> |
| 710 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -526,53 +526,63 @@ | |
| 526 | |
| 527 | /* Deal with password-change requests */ |
| 528 | if( g.perm.Password && zPasswd |
| 529 | && (zNew1 = P("n1"))!=0 && (zNew2 = P("n2"))!=0 |
| 530 | ){ |
| 531 | /* If there is not a "real" login, we cannot change any password. */ |
| 532 | if( g.zLogin ){ |
| 533 | /* The user requests a password change */ |
| 534 | zSha1Pw = sha1_shared_secret(zPasswd, g.zLogin, 0); |
| 535 | if( db_int(1, "SELECT 0 FROM user" |
| 536 | " WHERE uid=%d" |
| 537 | " AND (constant_time_cmp(pw,%Q)=0" |
| 538 | " OR constant_time_cmp(pw,%Q)=0)", |
| 539 | g.userUid, zSha1Pw, zPasswd) ){ |
| 540 | sleep(1); |
| 541 | zErrMsg = |
| 542 | @ <p><span class="loginError"> |
| 543 | @ You entered an incorrect old password while attempting to change |
| 544 | @ your password. Your password is unchanged. |
| 545 | @ </span></p> |
| 546 | ; |
| 547 | }else if( fossil_strcmp(zNew1,zNew2)!=0 ){ |
| 548 | zErrMsg = |
| 549 | @ <p><span class="loginError"> |
| 550 | @ The two copies of your new passwords do not match. |
| 551 | @ Your password is unchanged. |
| 552 | @ </span></p> |
| 553 | ; |
| 554 | }else{ |
| 555 | char *zNewPw = sha1_shared_secret(zNew1, g.zLogin, 0); |
| 556 | char *zChngPw; |
| 557 | char *zErr; |
| 558 | db_multi_exec( |
| 559 | "UPDATE user SET pw=%Q WHERE uid=%d", zNewPw, g.userUid |
| 560 | ); |
| 561 | fossil_free(zNewPw); |
| 562 | zChngPw = mprintf( |
| 563 | "UPDATE user" |
| 564 | " SET pw=shared_secret(%Q,%Q," |
| 565 | " (SELECT value FROM config WHERE name='project-code'))" |
| 566 | " WHERE login=%Q", |
| 567 | zNew1, g.zLogin, g.zLogin |
| 568 | ); |
| 569 | if( login_group_sql(zChngPw, "<p>", "</p>\n", &zErr) ){ |
| 570 | zErrMsg = mprintf("<span class=\"loginError\">%s</span>", zErr); |
| 571 | fossil_free(zErr); |
| 572 | }else{ |
| 573 | redirect_to_g(); |
| 574 | return; |
| 575 | } |
| 576 | } |
| 577 | }else{ |
| 578 | zErrMsg = |
| 579 | @ <p><span class="loginError"> |
| 580 | @ The password cannot be changed for this type of login. |
| 581 | @ The password is unchanged. |
| 582 | @ </span></p> |
| 583 | ; |
| 584 | } |
| 585 | } |
| 586 | zIpAddr = PD("REMOTE_ADDR","nil"); /* Complete IP address for logging */ |
| 587 | zReferer = P("HTTP_REFERER"); |
| 588 | uid = login_is_valid_anonymous(zUsername, zPasswd, P("cs")); |
| @@ -699,11 +709,11 @@ | |
| 709 | } |
| 710 | @ </div> |
| 711 | free(zCaptcha); |
| 712 | } |
| 713 | @ </form> |
| 714 | if( g.zLogin && g.perm.Password ){ |
| 715 | @ <hr /> |
| 716 | @ <p>Change Password for user <b>%h(g.zLogin)</b>:</p> |
| 717 | form_begin(0, "%R/login"); |
| 718 | @ <table> |
| 719 | @ <tr><td class="login_out_label">Old Password:</td> |
| 720 |