Fossil: Check-in [86cbb69af2]

Overview

SHA1 Hash: 86cbb69af2db4a05f600ff6a073618f0a89365e7

Date: 2009-12-29 00:11:21

User: drh

Comment: Only record the first 16 bits of the 32-bit IP address as part of the anonymous login cookie.

Timelines: ancestors | descendants | both | trunk

Other Links: files | ZIP archive | manifest

SHA1 Hash:	86cbb69af2db4a05f600ff6a073618f0a89365e7
Date:	2009-12-29 00:11:21
User:	drh
Comment:	Only record the first 16 bits of the 32-bit IP address as part of the anonymous login cookie.
Timelines:	ancestors \| descendants \| both \| trunk
Other Links:	files \| ZIP archive \| manifest

Tags And Properties

branch=trunk inherited from [a28c83647d]
sym-trunk inherited from [a28c83647d]

Changes

[hide diffs]

Modified src/login.c from [dc8655318b] to [c5e94568c7].

@@ -79,10 +79,29 @@
     fossil_redirect_home();
   }
 }
 
 /*
+** The IP address of the client is stored as part of the anonymous
+** login cookie for additional security.  But some clients are behind
+** firewalls that shift the IP address with each HTTP request.  To
+** allow such (broken) clients to log in, extract just a prefix of the
+** IP address.
+*/
+static char *ipPrefix(const char *zIP){
+  int i, j;
+  for(i=j=0; zIP[i]; i++){
+    if( zIP[i]=='.' ){
+      j++;
+      if( j==2 ) break;
+    }
+  }
+  return mprintf("%.*s", j, zIP);
+}
+
+
+/*
 ** Check to see if the anonymous login is valid.  If it is valid, return
 ** the userid of the anonymous user.
 */
 static int isValidAnonymousLogin(
   const char *zUsername,  /* The username.  Must be "anonymous" */
@@ -168,11 +187,11 @@
 
     zIpAddr = PD("REMOTE_ADDR","nil");
     zCookieName = login_cookie_name();
     zNow = db_text("0", "SELECT julianday('now')");
     blob_init(&b, zNow, -1);
-    blob_appendf(&b, "/%s/%s", zIpAddr, db_get("captcha-secret",""));
+    blob_appendf(&b, "/%z/%s", ipPrefix(zIpAddr), db_get("captcha-secret",""));
     sha1sum_blob(&b, &b);
     zCookie = sqlite3_mprintf("anon/%s/%s", zNow, blob_buffer(&b));
     blob_reset(&b);
     free(zNow);
     cgi_set_cookie(zCookieName, zCookie, 0, 6*3600);
@@ -358,11 +377,12 @@
       rTime = atof(&zCookie[5]);
       for(i=5; zCookie[i] && zCookie[i]!='/'; i++){}
       blob_init(&b, &zCookie[5], i-5);
       if( zCookie[i]=='/' ){ i++; }
       blob_append(&b, "/", 1);
-      blob_appendf(&b, "%s/%s", zRemoteAddr, db_get("captcha-secret",""));
+      blob_appendf(&b, "%z/%s", ipPrefix(zRemoteAddr),
+                   db_get("captcha-secret",""));
       sha1sum_blob(&b, &b);
       uid = db_int(0,
           "SELECT uid FROM user WHERE login='anonymous'"
           " AND length(cap)>0"
           " AND length(pw)>0"