From 926ec7a6b85e6e3f7335a8c5ddcccd51937ee2d8 Mon Sep 17 00:00:00 2001 From: "Jannis M. Hoffmann" Date: Fri, 8 Sep 2023 23:32:10 +0200 Subject: added a build configuration step --- lib/JWebmail/Controller/Webmail.pm | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'lib/JWebmail/Controller/Webmail.pm') diff --git a/lib/JWebmail/Controller/Webmail.pm b/lib/JWebmail/Controller/Webmail.pm index e06a8f7..94df668 100644 --- a/lib/JWebmail/Controller/Webmail.pm +++ b/lib/JWebmail/Controller/Webmail.pm @@ -8,6 +8,7 @@ use List::Util qw(any first); use Mojo::Util qw(encode decode b64_encode b64_decode); use Mojolicious::Types; +use JWebmail::Config 'LOGIN_SCHEME'; use JWebmail::View::Webmail; use JWebmail::View::RenderMail; @@ -72,7 +73,7 @@ sub _time :prototype(&$$) { sub login { my $self = shift; - my $uses_cram = $self->config->{session}{secure} eq 'cram'; + my $uses_cram = LOGIN_SCHEME eq fc 'cram_md5'; my $v = $self->validation; @@ -338,12 +339,12 @@ sub _rand_data { sub _session_passwd { my ($self, $passwd, $challenge) = @_; - my $secAlg = $self->config->{session}{secure}; + my $secAlg = LOGIN_SCHEME; $self->_warn_crypt; if (defined $passwd) { # set - if ($secAlg eq 'cram') { + if ($secAlg eq fc 'cram_md5') { $self->session(S_PASSWD() => $passwd, challenge => $challenge); } elsif ($secAlg eq 's3d') { @@ -352,7 +353,7 @@ sub _session_passwd { delete $self->session->{S_OTP_S3D_PW()}; return; } - die "'$passwd' contains invalid character \\n" if $passwd =~ /\n/; + die "'$passwd' contains invalid character \\n" if $passwd =~ /\n/; if (length $passwd < 20) { $passwd .= "\n" . ' ' x (20 - length($passwd) - 1); } @@ -366,7 +367,7 @@ sub _session_passwd { } } else { # get - if ($secAlg eq 'cram') { + if ($secAlg eq fc 'cram_md5') { wantarray or carp "you forgot the challenge"; return ($self->session(S_PASSWD), $self->session('challenge')); } @@ -472,18 +473,18 @@ Currently the following modes are supported: =over 6 -=item none +=item none The password is plainly stored in session cookie. The cookie is stored on the client side and send with every request. -=item cram +=item cram A nonce is send to the client and the cram_md5 is generated there via js and crypto-js. This is vulnurable to replay attacks as the nonce is not invalidated ever. -=item s3d +=item s3d The password is stored on the server. Additionally the password is encrypted by an one-time-pad that is stored in the users cookie. -- cgit v1.2.3