jro_apps/redmine Commit - r2648:e27460a0a78d

Backported r2740 to r2742 from trunk....

Jean-Philippe Lang -

r2648:e27460a0a78d

parent child

Context file:

r2648:e27460a0a78d

app/models/token.rb +5 -4

              # along with this program; if not, write to the Free Software
              # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+             require 'rails_generator/secret_key_generator'
              class Token < ActiveRecord::Base
                belongs_to :user
+               validates_uniqueness_of :value
                @@validity_time = 1.day
              private
                def self.generate_token_value
-                 chars = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
-                 token_value = ''
-.times { |i| token_value << chars[rand(chars.size-1)] }
-                 token_value
+                 s = Rails::SecretKeyGenerator.new(object_id).generate_secret
+                 s[0, 40]
                end
              end

app/models/user.rb +8 -2

                end
                def self.find_by_autologin_key(key)
-                 token = Token.find_by_action_and_value('autologin', key)
-                 token && (token.created_on > Setting.autologin.to_i.day.ago) && token.user.active? ? token.user : nil
+                 tokens = Token.find_all_by_action_and_value('autologin', key)
+                 # Make sure there's only 1 token that matches the key
+                 if tokens.size == 1
+                   token = tokens.first
+                   if (token.created_on > Setting.autologin.to_i.day.ago) && token.user && token.user.active?
+                     token.user
+                   end
+                 end
                end
                # Makes find_by_mail case-insensitive

doc/CHANGELOG +1 0

              * Fixed: issues/show should accept user's rss key
              * Fixed: consistency of custom fields display on the issue detail view
              * Fixed: wiki comments length validation is missing
+             * Fixed: weak autologin token generation algorithm causes duplicate tokens
              == 2009-04-05 v0.8.3

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages