Diff
Not logged in
HomeFilesLeavesTimelineBranchesTagsTicketsWikiLogin

Differences From:

File src/login.c part of check-in [00b778bd58] - Added new config option with the rather unwieldy name 'anon-login-enable-captcha-filler' by stephan on 2009-12-07 22:42:42. Also file src/login.c part of check-in [1c2d878d12] - Merge with trunk by btheado on 2009-12-13 01:16:13. [view]

To:

File src/login.c part of check-in [5d16ca43f1] - Fix a bug in the IP address truncator. Ticket a09798ba9e. by drh on 2009-12-29 20:52:27. Also file src/login.c part of check-in [76bc05d739] - merge with trunk by btheado on 2009-12-30 20:33:59. [view] 
@@ -80,8 +80,27 @@
   }
 }
 
 /*
+** The IP address of the client is stored as part of the anonymous
+** login cookie for additional security.  But some clients are behind
+** firewalls that shift the IP address with each HTTP request.  To
+** allow such (broken) clients to log in, extract just a prefix of the
+** IP address.
+*/
+static char *ipPrefix(const char *zIP){
+  int i, j;
+  for(i=j=0; zIP[i]; i++){
+    if( zIP[i]=='.' ){
+      j++;
+      if( j==2 ) break;
+    }
+  }
+  return mprintf("%.*s", i, zIP);
+}
+
+
+/*
 ** Check to see if the anonymous login is valid.  If it is valid, return
 ** the userid of the anonymous user.
 */
 static int isValidAnonymousLogin(
@@ -169,9 +188,9 @@
     zIpAddr = PD("REMOTE_ADDR","nil");
     zCookieName = login_cookie_name();
     zNow = db_text("0", "SELECT julianday('now')");
     blob_init(&b, zNow, -1);
-    blob_appendf(&b, "/%s/%s", zIpAddr, db_get("captcha-secret",""));
+    blob_appendf(&b, "/%z/%s", ipPrefix(zIpAddr), db_get("captcha-secret",""));
     sha1sum_blob(&b, &b);
     zCookie = sqlite3_mprintf("anon/%s/%s", zNow, blob_buffer(&b));
     blob_reset(&b);
     free(zNow);
@@ -251,10 +270,10 @@
   @ You must configure your web browser to accept cookies in order for
   @ the login to take.</p>
   if( zAnonPw ){
     unsigned int uSeed = captcha_seed();
-    char const * zDecoded = captcha_decode(uSeed);
-    int iAllowPasswordFill = db_get_boolean( "anon-login-enable-captcha-filler", 0 );
+    char const *zDecoded = captcha_decode(uSeed);
+    int bAutoCaptcha = db_get_boolean("auto-captcha", 0);
     char *zCaptcha = captcha_render(zDecoded);
 
     @ <input type="hidden" name="cs" value="%u(uSeed)"/>
     @ <p>Visitors may enter <b>anonymous</b> as the user-ID with
@@ -261,10 +280,12 @@
     @ the 8-character hexadecimal password shown below:</p>
     @ <center><table border="1" cellpadding="10"><tr><td><pre>
     @ %s(zCaptcha)
     @ </pre></td></tr></table>
-    if( iAllowPasswordFill ) {
-        @ <input type="button" value="Fill out captcha" onclick="document.getElementById('u').value='anonymous'; document.getElementById('p').value='%s(zDecoded)';"/>
+    if( bAutoCaptcha ) {
+        @ <input type="button" value="Fill out captcha"
+        @  onclick="document.getElementById('u').value='anonymous';
+        @           document.getElementById('p').value='%s(zDecoded)';"/>
     }
     @ </center>
     free(zCaptcha);
   }
@@ -357,9 +378,10 @@
       for(i=5; zCookie[i] && zCookie[i]!='/'; i++){}
       blob_init(&b, &zCookie[5], i-5);
       if( zCookie[i]=='/' ){ i++; }
       blob_append(&b, "/", 1);
-      blob_appendf(&b, "%s/%s", zRemoteAddr, db_get("captcha-secret",""));
+      blob_appendf(&b, "%z/%s", ipPrefix(zRemoteAddr),
+                   db_get("captcha-secret",""));
       sha1sum_blob(&b, &b);
       uid = db_int(0,
           "SELECT uid FROM user WHERE login='anonymous'"
           " AND length(cap)>0"

Fossil version [c0211010a1] 2009-12-13 01:31:36