The mailing list for listmasters using Sympa

[David Verdin <address@concealed>]

Hi Pat and sorry for the delay,

Actually, the bug is fixed and you could try the attached patch.

It should be in the code already but I messed up with branches and I 
must re-commit it.

In the meantime, the patch will do.

Regards,

David


On 12/04/2018 16:41, Pat Allen wrote:
> Hi David,
>
> My management has asked me if there is any estimate on how long it might take 
> to get this bug fixed. We stumbled upon it when testing a new front-end that 
> we had put together allowing our users to browse / subscribe / unsubscribe 
> multiple lists at one time. That project is on hold until this gets fixed 
> since we can't have our user's passwords being trampled.
>
> Thanks!
> Pat
>
> ----- Original Message -----
> From: "David Verdin" <address@concealed>
> To: address@concealed
> Sent: Tuesday, March 27, 2018 8:47:43 AM
> Subject: Re: [sympa-users] Local password reset when subscribing via email
>
> Hi Pat,
>
> This is a bug indeed and I can reproduce it. I never noticed this
> because all our servers are now federated so we log in using identity
> providers.
>
> I'll check that.
>
> Regards,
>
> David
>
>
> On 27/03/2018 17:01, Pat Allen wrote:
> > Hi everyone,
> >
> > I've upgraded out production server to 6.2.24 and this is becoming an issue. 
> > Can anyone tell me if this behavior is by design or if this is a bug? (I 
> > can't find anything on the bug tracker.) Every time I subscribe to a list via 
> > email, I need to reset my password on the server. This is annoying to say the 
> > least.
> >
> > Thanks!
> > Pat
> >
> > ----- Original Message -----
> > From: "Pat Allen" <address@concealed>
> > To: address@concealed
> > Sent: Thursday, March 22, 2018 11:23:38 AM
> > Subject: Local password reset when subscribing via email
> >
> > Good morning!
> >
> > I first noticed this on our production 6.1.3 system and have duplicated it on 
> > our test 6.2.24 system.
> >
> > I have a local user account (e.g. address@concealed). I can login OK to the web interface 
> > and manage my subscriptions. Then I send an email to address@concealed with 
> > the subject "SUBSCRIBE listname address@concealed". I am successfully subscribed 
> > to the list and receive confirmation from the software.
> >
> > However, my password is no longer valid on the web interface. When I try to login, I 
> > get "Unable to continue: The username / password combination provided was 
> > incorrect." I need to reset my password in order to continue. This is problematic.
> >
> > Any help would be appreciated. Thanks!
> >
> > Pat
> >
> > Pat Allen
> > Monterey Bay Aquarium Research Institute (MBARI)

--
"Mieux vaut viser la perfection et la rater que viser la médiocrité et 
l'atteindre."
- Francis Blanche

From cafe704088129c13e4c876266276c4fe914cc7bf Mon Sep 17 00:00:00 2001
From: dverdin <address@concealed>
Date: Wed, 11 Apr 2018 17:54:08 +0200
Subject: [PATCH] Fixing issue #167 along with problem reported on the list by
 Pat Allen: password was reset when subscribing to a list. When updating a
 user, password was systematically rehashed even if it was not a new password.
 Consequently, anytime a user was updated, the password replaced y its own
 hash. Fixed by checking the database for a pre-existing password before
 computing the hash.

---
 src/lib/Sympa/User.pm | 42 ++++++++++++++++++++++++++++++++----------
 1 file changed, 32 insertions(+), 10 deletions(-)

diff --git a/src/lib/Sympa/User.pm b/src/lib/Sympa/User.pm
index c01772b..05cc9b4 100644
--- a/src/lib/Sympa/User.pm
+++ b/src/lib/Sympa/User.pm
@@ -508,22 +508,44 @@ sub update_global_user {
 
     $who = Sympa::Tools::Text::canonic_email($who);
 
-    ## use md5 fingerprint to store password
-    $values->{'password'} =
-        Sympa::User::password_fingerprint($values->{'password'})
-        if ($values->{'password'});
-
-    ## Canonicalize lang if possible.
-    $values->{'lang'} = Sympa::Language::canonic_lang($values->{'lang'})
-        || $values->{'lang'}
-        if $values->{'lang'};
-
+    ## Check whether password is already defined.
     my $sdm = Sympa::DatabaseManager->instance;
     unless ($sdm) {
         $log->syslog('err', 'Unavailable database connection');
         return undef;
     }
 
+
+    push @sth_stack, $sth;
+
+    $sth = $sdm->do_query(
+        "SELECT password_user FROM user_table WHERE (email_user=%s)",
+        $sdm->quote($who)
+    );
+    unless (defined $sth) {
+        $log->syslog('err',
+            'Could not check password information for user %s in user_table', $who);
+        $sth = pop @sth_stack;
+        return undef;
+    }
+
+    my $current_password = $sth->fetchrow();
+
+    $sth = pop @sth_stack;
+
+    if ($values->{'password'}) {
+        if($current_password ne $values->{'password'}) {
+            ## use hash fingerprint to store password
+            ## hashes that use salts will randomly generate one
+            $values->{'password'} = Sympa::User::password_fingerprint($values->{'password'}, undef);
+        }
+    }
+
+    ## Canonicalize lang if possible.
+    $values->{'lang'} = Sympa::Language::canonic_lang($values->{'lang'})
+        || $values->{'lang'}
+        if $values->{'lang'};
+
     my ($field, $value);
 
     ## Update each table
-- 
2.7.4

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature