@@ -15,8 +15,11 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +require 'rails_generator/secret_key_generator' + class Token < ActiveRecord::Base belongs_to :user + validates_uniqueness_of :value @@validity_time = 1.day @@ -36,9 +39,7 @@ class Token < ActiveRecord::Base private def self.generate_token_value - chars = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a - token_value = '' - 40.times { |i| token_value << chars[rand(chars.size-1)] } - token_value + s = Rails::SecretKeyGenerator.new(object_id).generate_secret + s[0, 40] end end app/models/token.rb @@ -175,8 +175,14 @@ class User < ActiveRecord::Base end def self.find_by_autologin_key(key) - token = Token.find_by_action_and_value('autologin', key) - token && (token.created_on > Setting.autologin.to_i.day.ago) && token.user.active? ? token.user : nil + tokens = Token.find_all_by_action_and_value('autologin', key) + # Make sure there's only 1 token that matches the key + if tokens.size == 1 + token = tokens.first + if (token.created_on > Setting.autologin.to_i.day.ago) && token.user && token.user.active? + token.user + end + end end # Makes find_by_mail case-insensitive app/models/user.rb @@ -18,6 +18,7 @@ http://www.redmine.org/ * Fixed: issues/show should accept user's rss key * Fixed: consistency of custom fields display on the issue detail view * Fixed: wiki comments length validation is missing +* Fixed: weak autologin token generation algorithm causes duplicate tokens == 2009-04-05 v0.8.3 doc/CHANGELOG 3f6656a495705890f22f0e186b1f0c1ee0953ba1 Jean-Philippe Lang jp_lang@yahoo.fr http://github.com/enderson/redmine/commit/e27460a0a78dffda999e2d2ea866554e0190da62 e27460a0a78dffda999e2d2ea866554e0190da62

2009-05-17T02:13:38-07:00

Backported r2740 to r2742 from trunk. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/0.8-stable@2747 e93f8b46-1217-0410-a6f0-8f06a7374b81 a3ff3707596dea11420324ff2e42d4de8e70309c Jean-Philippe Lang jp_lang@yahoo.fr