[RADIATOR] Minor AuthBy SQLTOTP bug
Roy Badami
roy.badami at roboreus.com
Wed Aug 22 11:34:13 CDT 2012
Also potentially a (very minor) code bug in AuthSQLTOTP.pm
checkTOTP() doesn't correctly handle the case where $last_timestep is
undefined (due to a NULL in the database) if the PIN check fails. The
code does contains the line:
$last_timestep += 0; # In case database has NULL
but this line is skipped if the PIN is incorrect, leading to incorrect
SQL (at least in the case of postgres, which is my platform of choice)
Assuming the initial value of last_timestep is NULL (which is permitted
by the sample schema in totp.sql) then you get an SQL error if the first
ever log-in attempt involves typing an incorrect PIN:
Wed Aug 22 17:22:03 2012: DEBUG: Query to 'dbi:Pg:dbname=radiator':
'SELECT secret, active, pin, digits, bad_logins, EXTRACT(EPOCH FROM
accessed), last_timestep FROM totpkeys WHERE username='roy-test'':
Wed Aug 22 17:22:03 2012: DEBUG: do query to 'dbi:Pg:dbname=radiator':
'update totpkeys set accessed=now(), bad_logins=1, last_timestep= where
username='roy-test'':
Wed Aug 22 17:22:03 2012: ERR: do failed for 'update totpkeys set
accessed=now(), bad_logins=1, last_timestep= where username='roy-test'':
ERROR: syntax error at or near "where"
LINE 1: ... set accessed=now(), bad_logins=1, last_timestep= where user...
Regards
roy
^
More information about the radiator
mailing list