Fossil

Check-in [86cbb69a]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Only record the first 16 bits of the 32-bit IP address as part of the anonymous login cookie.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 86cbb69af2db4a05f600ff6a073618f0a89365e7
User & Date: drh 2009-12-29 00:11:21
References
2009-12-29
13:49 New ticket [a09798ba] Bug in ipPrefix (Check-in [86cbb69af2])?. artifact: f3c1440b user: anonymous
Context
2009-12-29
20:52
Fix a bug in the IP address truncator. Ticket [a09798ba9e]. check-in: 5d16ca43 user: drh tags: trunk
00:11
Only record the first 16 bits of the 32-bit IP address as part of the anonymous login cookie. check-in: 86cbb69a user: drh tags: trunk
2009-12-27
18:19
Fix an invalid free() call that could occur when the "info" command was used with an invalid artifact ID. Ticket [aa8ba0fffa]. check-in: 9d3fe01a user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/login.c.

76
77
78
79
80
81
82



















83
84
85
86
87
88
89
...
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
...
356
357
358
359
360
361
362

363
364
365
366
367
368
369
370
  if( zGoto ){
    cgi_redirect(zGoto);
  }else{
    fossil_redirect_home();
  }
}




















/*
** Check to see if the anonymous login is valid.  If it is valid, return
** the userid of the anonymous user.
*/
static int isValidAnonymousLogin(
  const char *zUsername,  /* The username.  Must be "anonymous" */
  const char *zPassword   /* The supplied password */
................................................................................
    const char *zCookieName;     /* Name of the login cookie */
    Blob b;                      /* Blob used during cookie construction */

    zIpAddr = PD("REMOTE_ADDR","nil");
    zCookieName = login_cookie_name();
    zNow = db_text("0", "SELECT julianday('now')");
    blob_init(&b, zNow, -1);
    blob_appendf(&b, "/%s/%s", zIpAddr, db_get("captcha-secret",""));
    sha1sum_blob(&b, &b);
    zCookie = sqlite3_mprintf("anon/%s/%s", zNow, blob_buffer(&b));
    blob_reset(&b);
    free(zNow);
    cgi_set_cookie(zCookieName, zCookie, 0, 6*3600);
    redirect_to_g();
  }
................................................................................
      int i;
      Blob b;
      rTime = atof(&zCookie[5]);
      for(i=5; zCookie[i] && zCookie[i]!='/'; i++){}
      blob_init(&b, &zCookie[5], i-5);
      if( zCookie[i]=='/' ){ i++; }
      blob_append(&b, "/", 1);

      blob_appendf(&b, "%s/%s", zRemoteAddr, db_get("captcha-secret",""));
      sha1sum_blob(&b, &b);
      uid = db_int(0, 
          "SELECT uid FROM user WHERE login='anonymous'"
          " AND length(cap)>0"
          " AND length(pw)>0"
          " AND %f+0.25>julianday('now')"
          " AND %Q=%Q",







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







 







|







 







>
|







76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
...
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
...
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
  if( zGoto ){
    cgi_redirect(zGoto);
  }else{
    fossil_redirect_home();
  }
}

/*
** The IP address of the client is stored as part of the anonymous
** login cookie for additional security.  But some clients are behind
** firewalls that shift the IP address with each HTTP request.  To
** allow such (broken) clients to log in, extract just a prefix of the
** IP address.  
*/
static char *ipPrefix(const char *zIP){
  int i, j; 
  for(i=j=0; zIP[i]; i++){
    if( zIP[i]=='.' ){
      j++;
      if( j==2 ) break;
    }
  }
  return mprintf("%.*s", j, zIP);
}
        

/*
** Check to see if the anonymous login is valid.  If it is valid, return
** the userid of the anonymous user.
*/
static int isValidAnonymousLogin(
  const char *zUsername,  /* The username.  Must be "anonymous" */
  const char *zPassword   /* The supplied password */
................................................................................
    const char *zCookieName;     /* Name of the login cookie */
    Blob b;                      /* Blob used during cookie construction */

    zIpAddr = PD("REMOTE_ADDR","nil");
    zCookieName = login_cookie_name();
    zNow = db_text("0", "SELECT julianday('now')");
    blob_init(&b, zNow, -1);
    blob_appendf(&b, "/%z/%s", ipPrefix(zIpAddr), db_get("captcha-secret",""));
    sha1sum_blob(&b, &b);
    zCookie = sqlite3_mprintf("anon/%s/%s", zNow, blob_buffer(&b));
    blob_reset(&b);
    free(zNow);
    cgi_set_cookie(zCookieName, zCookie, 0, 6*3600);
    redirect_to_g();
  }
................................................................................
      int i;
      Blob b;
      rTime = atof(&zCookie[5]);
      for(i=5; zCookie[i] && zCookie[i]!='/'; i++){}
      blob_init(&b, &zCookie[5], i-5);
      if( zCookie[i]=='/' ){ i++; }
      blob_append(&b, "/", 1);
      blob_appendf(&b, "%z/%s", ipPrefix(zRemoteAddr),
                   db_get("captcha-secret",""));
      sha1sum_blob(&b, &b);
      uid = db_int(0, 
          "SELECT uid FROM user WHERE login='anonymous'"
          " AND length(cap)>0"
          " AND length(pw)>0"
          " AND %f+0.25>julianday('now')"
          " AND %Q=%Q",