[Tickets #10423] Horde_Auth_Sql 1.0.4 expiration feature severly broken - if I am not completely wrong

bugs at horde.org bugs at horde.org
Thu Aug 11 23:19:32 UTC 2011 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/10423
------------------------------------------------------------------------------
  Ticket             | 10423
  Created By         | Ralf Lang (B1 Systems GmbH) <lang at b1-systems.de>
  Summary            | Horde_Auth_Sql 1.0.4 expiration feature severly broken
                     | - if I am not completely wrong
  Queue              | Horde Framework Packages
  Version            | Git master
  Type               | Bug
  State              | Unconfirmed
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


Ralf Lang (B1 Systems GmbH) <lang at b1-systems.de> (2011-08-11 23:19) wrote:

Excuse me if I got something wrong and this is all bogus.

The Horde_Auth_Sql driver provides account password expiration in a  
soft (warn) and hard (lock) flavour.

To me this feature looks totally broken in Horde 4.

1) The migration file creates the soft and hard timestamp fields as  
signed int 11 rather than unsigned. (tested on mysql)

2) The calculation routine produces a negative value for the soft and  
hard expiration timestamp. This means users changing password  
immediately expired accounts if it wasn't for 5)

3) The hard expiration timestamp is calculated via soft_expiration_window.

4) The hard expiration timestamp is completely ignored if soft  
expiration is not configured - is this intended? The calculation of  
hard_expiration_date at least looks a little like this could be true -  
but see 3)

5) If hard expiration is configured, changing users is completely  
broken because the generated SQL has more values than fields (or other  
way around, the last value is treated as a key).

6) The addUser routine doesn't initialize these additional fields. As  
a result, all accounts last forever until the user changes credentials  
for the first time.

I have checked this against 1.0.4 after I had initial issues with git,  
where I checked in my own additions today.

What puzzles me is the math bit. I think it dates back to horde3 and I  
doubt it could be broken for so long without anybody noticing.

I think I can fix this as I'm working on #10387 already.

Just want somebody to verify I'm not chasing my very own installation  
troubles.

More information about the bugs mailing list