[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SF.net SVN: ledger-smb: [679] branches/1.2/LedgerSMB/Session/DB.pm



Revision: 679
          http://svn.sourceforge.net/ledger-smb/?rev=679&view=rev
Author:   tetragon
Date:     2006-11-21 21:30:04 -0800 (Tue, 21 Nov 2006)

Log Message:
-----------
Adding check for determining that the requested user is the retreived user

Modified Paths:
--------------
    branches/1.2/LedgerSMB/Session/DB.pm

Modified: branches/1.2/LedgerSMB/Session/DB.pm
===================================================================
--- branches/1.2/LedgerSMB/Session/DB.pm	2006-11-21 06:56:08 UTC (rev 678)
+++ branches/1.2/LedgerSMB/Session/DB.pm	2006-11-22 05:30:04 UTC (rev 679)
@@ -219,16 +219,19 @@
 	# use the central database handle
 	my $dbh = ${LedgerSMB::Sysconfig::GLOBALDBH};
 
-	my $fetchPassword = $dbh->prepare("SELECT uc.password, uc.crypted_password
+	my $fetchPassword = $dbh->prepare("SELECT u.username, uc.password, uc.crypted_password
 										 FROM users as u, users_conf as uc
 										WHERE u.username = ?
 										  AND u.id = uc.id;");
 
 	$fetchPassword->execute($username) || $form->dberror(__FILE__.':'.__LINE__.': Fetching password : ');
 
-	my ($md5Password, $cryptPassword) = $fetchPassword->fetchrow_array;
+	my ($dbusername, $md5Password, $cryptPassword) = $fetchPassword->fetchrow_array;
 
-	if ($cryptPassword){
+	if ($dbusername ne $username) {
+		# User data retrieved from db not for the requested user
+		return 0;
+	} elsif ($cryptPassword){
 		#First time login from old system, check crypted password
 
 		if ((crypt $password, substr($username, 0, 2)) eq $cryptPassword) {	
@@ -250,12 +253,12 @@
 			return 0; #password failed
 		}
 
-	}elsif ($md5Password){
+	} elsif ($md5Password){
 
 		if ($md5Password ne (Digest::MD5::md5_hex $password) ) {
 			return 0;
 		}
-		else{
+		else {
 			return 1;
 		}
 	


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.