The mailing list for listmasters using Sympa

[Pat Allen <address@concealed>]

Hi David,

Sorry to bother you about this but I've just upgraded to 6.2.34 (Soji's 
CentOS 7 binaries) from 6.2.24 (Source on CentOS 6). This bug still exists in 
6.2.34; if I try to subscribe to a list using email, my password is reset and 
I'm unable to login via the web interface. 

I took a look at the patch that you sent me for User.pm and I couldn't find 
that code in the 6.2.34 release.

Any help would be greatly appreciated.

Pat

----- Original Message -----
From: "David Verdin" <address@concealed>
To: "Pat Allen" <address@concealed>
Cc: address@concealed
Sent: Monday, April 16, 2018 1:07:18 AM
Subject: Re: [sympa-users] Local password reset when subscribing via email

Hi Pat and sorry for the delay,

Actually, the bug is fixed and you could try the attached patch.

It should be in the code already but I messed up with branches and I 
must re-commit it.

In the meantime, the patch will do.

Regards,

David


On 12/04/2018 16:41, Pat Allen wrote:
> Hi David,
>
> My management has asked me if there is any estimate on how long it might 
> take to get this bug fixed. We stumbled upon it when testing a new 
> front-end that we had put together allowing our users to browse / subscribe 
> / unsubscribe multiple lists at one time. That project is on hold until 
> this gets fixed since we can't have our user's passwords being trampled.
>
> Thanks!
> Pat
>
> ----- Original Message -----
> From: "David Verdin" <address@concealed>
> To: address@concealed
> Sent: Tuesday, March 27, 2018 8:47:43 AM
> Subject: Re: [sympa-users] Local password reset when subscribing via email
>
> Hi Pat,
>
> This is a bug indeed and I can reproduce it. I never noticed this
> because all our servers are now federated so we log in using identity
> providers.
>
> I'll check that.
>
> Regards,
>
> David
>
>
> On 27/03/2018 17:01, Pat Allen wrote:
>> Hi everyone,
>>
>> I've upgraded out production server to 6.2.24 and this is becoming an 
>> issue. Can anyone tell me if this behavior is by design or if this is a 
>> bug? (I can't find anything on the bug tracker.) Every time I subscribe to 
>> a list via email, I need to reset my password on the server. This is 
>> annoying to say the least.
>>
>> Thanks!
>> Pat
>>
>> ----- Original Message -----
>> From: "Pat Allen" <address@concealed>
>> To: address@concealed
>> Sent: Thursday, March 22, 2018 11:23:38 AM
>> Subject: Local password reset when subscribing via email
>>
>> Good morning!
>>
>> I first noticed this on our production 6.1.3 system and have duplicated it 
>> on our test 6.2.24 system.
>>
>> I have a local user account (e.g. address@concealed). I can login OK to the 
>> web interface and manage my subscriptions. Then I send an email to 
>> address@concealed with the subject "SUBSCRIBE listname 
>> address@concealed". I am successfully subscribed to the list and receive 
>> confirmation from the software.
>>
>> However, my password is no longer valid on the web interface. When I try 
>> to login, I get "Unable to continue: The username / password combination 
>> provided was incorrect." I need to reset my password in order to continue. 
>> This is problematic.
>>
>> Any help would be appreciated. Thanks!
>>
>> Pat
>>
>> Pat Allen
>> Monterey Bay Aquarium Research Institute (MBARI)
>>
>>

-- 
"Mieux vaut viser la perfection et la rater que viser la médiocrité et 
l'atteindre."
- Francis Blanche
From cafe704088129c13e4c876266276c4fe914cc7bf Mon Sep 17 00:00:00 2001
From: dverdin <address@concealed>
Date: Wed, 11 Apr 2018 17:54:08 +0200
Subject: [PATCH] Fixing issue #167 along with problem reported on the list by
 Pat Allen: password was reset when subscribing to a list. When updating a
 user, password was systematically rehashed even if it was not a new password.
 Consequently, anytime a user was updated, the password replaced y its own
 hash. Fixed by checking the database for a pre-existing password before
 computing the hash.

---
 src/lib/Sympa/User.pm | 42 ++++++++++++++++++++++++++++++++----------
 1 file changed, 32 insertions(+), 10 deletions(-)

diff --git a/src/lib/Sympa/User.pm b/src/lib/Sympa/User.pm
index c01772b..05cc9b4 100644
--- a/src/lib/Sympa/User.pm
+++ b/src/lib/Sympa/User.pm
@@ -508,22 +508,44 @@ sub update_global_user {
 
     $who = Sympa::Tools::Text::canonic_email($who);
 
-    ## use md5 fingerprint to store password
-    $values->{'password'} =
-        Sympa::User::password_fingerprint($values->{'password'})
-        if ($values->{'password'});
-
-    ## Canonicalize lang if possible.
-    $values->{'lang'} = Sympa::Language::canonic_lang($values->{'lang'})
-        || $values->{'lang'}
-        if $values->{'lang'};
-
+    ## Check whether password is already defined.
     my $sdm = Sympa::DatabaseManager->instance;
     unless ($sdm) {
         $log->syslog('err', 'Unavailable database connection');
         return undef;
     }
 
+
+    push @sth_stack, $sth;
+
+    $sth = $sdm->do_query(
+        "SELECT password_user FROM user_table WHERE (email_user=%s)",
+        $sdm->quote($who)
+    );
+    unless (defined $sth) {
+        $log->syslog('err',
+            'Could not check password information for user %s in user_table', $who);
+        $sth = pop @sth_stack;
+        return undef;
+    }
+
+    my $current_password = $sth->fetchrow();
+
+    $sth = pop @sth_stack;
+
+    if ($values->{'password'}) {
+        if($current_password ne $values->{'password'}) {
+            ## use hash fingerprint to store password
+            ## hashes that use salts will randomly generate one
+            $values->{'password'} = Sympa::User::password_fingerprint($values->{'password'}, undef);
+        }
+    }
+
+    ## Canonicalize lang if possible.
+    $values->{'lang'} = Sympa::Language::canonic_lang($values->{'lang'})
+        || $values->{'lang'}
+        if $values->{'lang'};
+
     my ($field, $value);
 
     ## Update each table
-- 
2.7.4

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature