From 46acf73e2889842a79a39114263580ee231b32f5 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Mon, 27 Jul 2015 23:26:49 +0200
Subject: explicitly disallow empty tokens


diff --git a/lib/RHRD/rddb.pm b/lib/RHRD/rddb.pm
index dcd5715..6a1d925 100755
--- a/lib/RHRD/rddb.pm
+++ b/lib/RHRD/rddb.pm
@@ -75,6 +75,9 @@ sub get_token
 sub set_token
 {
   my ($dbh, $username, $token) = @_;
+  if(!defined $token || $token eq '') {
+    return (undef, 'ERROR', "empty token is not allowed")
+  }
 
   my $sql = qq{update USERS set PASSWORD = ? where LOGIN_NAME = ?;};
   my $rows = $dbh->do($sql, undef, $token, $username)
@@ -89,6 +92,9 @@ sub set_token
 sub check_token
 {
   my ($dbh, $username, $token) = @_;
+  if(!defined $token || $token eq '') {
+    return (undef, 'ERROR', "empty token is not allowed")
+  }
 
   my $sql = qq{select PASSWORD from USERS where LOGIN_NAME = ?;};
   my $sth = $dbh->prepare($sql)
@@ -113,6 +119,9 @@ sub check_token
 sub add_user
 {
   my ($dbh, $username, $token) = @_;
+  if(!defined $token || $token eq '') {
+    return (undef, 'ERROR', "empty token is not allowed")
+  }
 
   my $sql = qq{insert into USERS (LOGIN_NAME, FULL_NAME, PHONE_NUMBER, DESCRIPTION, PASSWORD, ENABLE_WEB, ADMIN_USERS_PRIV, ADMIN_CONFIG_PRIV, CREATE_CARTS_PRIV, DELETE_CARTS_PRIV, MODIFY_CARTS_PRIV, EDIT_AUDIO_PRIV, ASSIGN_CART_PRIV, CREATE_LOG_PRIV, DELETE_LOG_PRIV, DELETE_REC_PRIV, PLAYOUT_LOG_PRIV, ARRANGE_LOG_PRIV, MODIFY_TEMPLATE_PRIV, ADDTO_LOG_PRIV, REMOVEFROM_LOG_PRIV, CONFIG_PANELS_PRIV, VOICETRACK_LOG_PRIV, EDIT_CATCHES_PRIV, ADD_PODCAST_PRIV, EDIT_PODCAST_PRIV, DELETE_PODCAST_PRIV) values ( ?, "", "", "", ? , "N", "N", "N", "Y", "Y", "Y", "Y", "N", "N", "N", "N", "N", "N", "N", "N", "N", "N", "N", "N", "N", "N", "N");};
   my $sth = $dbh->prepare($sql)
-- 
cgit v0.10.2