August 1st, 2002


Module Name: ljcom
Committed By: bradfitz
Date: Fri Aug 2 00:42:07 UTC 2002

Modified Files:
ljcom/cgi-bin/bml/scheme/dystopia: generic.look
ljcom/htdocs: comment_recv.bml

Log Message:
- remove some crap code in comment_recv.bml
- make dystopia get full remote

To generate a diff of this commit:
cvs rdiff -r1.32 -r1.33 ljcom/cgi-bin/bml/scheme/dystopia/generic.look
cvs rdiff -r1.7 -r1.8 ljcom/htdocs/comment_recv.bml


Module Name: livejournal
Committed By: bradfitz
Date: Fri Aug 2 00:46:16 UTC 2002

Modified Files:
livejournal/bin/upgrading: en.dat
livejournal/htdocs: changepassword.bml login.bml logout.bml
modify_do.bml talkpost_do.bml
livejournal/htdocs/friends: edit_do.bml

Log Message:
Phase 1 of security enhancements.

-- login cookies no longer have md5 password in them ... use sessions

-- rate limit more (all?) places where passwords are checked. if there
are ones I missed, I'd be very interested in knowing where.

-- don't mail clear text password on password change.

If no problems are found with this, the next phase will begin,
involving challenge/response logins (already working on fotobilder),
and the complete elimination of hidden hpassword fields, including
those in HTML emails. Instead, single use/single purpose cookies will
be used there.

Please, test this code out so we can get it running on
and begin phase 2.

To generate a diff of this commit:
cvs rdiff -r1.28 -r1.29 livejournal/bin/upgrading/en.dat
cvs rdiff -r1.72 -r1.73 livejournal/bin/upgrading/
cvs rdiff -r1.231 -r1.232 livejournal/cgi-bin/
cvs rdiff -r1.117 -r1.118 livejournal/cgi-bin/
cvs rdiff -r1.11 -r1.12 livejournal/htdocs/changepassword.bml
cvs rdiff -r1.14 -r1.15 livejournal/htdocs/login.bml
cvs rdiff -r1.12 -r1.13 livejournal/htdocs/logout.bml
cvs rdiff -r1.26 -r1.27 livejournal/htdocs/modify_do.bml
cvs rdiff -r1.71 -r1.72 livejournal/htdocs/talkpost_do.bml
cvs rdiff -r1.20 -r1.21 livejournal/htdocs/friends/edit_do.bml