projects / platal.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2b1b17a)
Fixes a security hole that did allow a third party website to reuse a valid
authorVincent Zanotti <vincent.zanotti@polytechnique.org>
Sat, 11 Oct 2008 18:58:47 +0000 (20:58 +0200)
committerVincent Zanotti <vincent.zanotti@polytechnique.org>
Sat, 11 Oct 2008 19:03:19 +0000 (21:03 +0200)
(challenge, response) pair. This pair, obtainable externally from an approved
groupex website, enabled it to discover personal information from Xs with a
permanent/valid cookie on Xorg.

The fix forces return url to match a defined regexp; backward compatibility is
retained, though the hole won't be fixed until all entries in groupex_auth are
added a non-empty return url regexp.

Signed-off-by: Vincent Zanotti <vincent.zanotti@polytechnique.org>
modules/auth.php patch | blob | blame | history
upgrade/0.9.17/07_auth_groupex.sql [new file with mode: 0644] patch | blob

diff --git a/modules/auth.php b/modules/auth.php
index ca07e32..79f495d 100644 (file)
--- a/modules/auth.php
+++ b/modules/auth.php
@@ -159,12 +159,14 @@ class AuthModule extends PLModule
         }
 
         /* on parcourt les entrees de groupes_auth */
-        $res = XDB::iterRow('SELECT privkey, name, datafields FROM groupesx_auth');
+        $res = XDB::iterRow('SELECT privkey, name, datafields, returnurls FROM groupesx_auth');
 
-        while (list($privkey,$name,$datafields) = $res->next()) {
+        while (list($privkey,$name,$datafields,$returnurls) = $res->next()) {
             if (md5($gpex_challenge.$privkey) == $gpex_pass) {
-                $returl = $gpex_url . gpex_make_params($gpex_challenge, $privkey, $datafields, $charset);
-                http_redirect($returl);
+                if ($returnurls == "" || @preg_match($returnurls, $gpex_url)) {
+                    $returl = $gpex_url . gpex_make_params($gpex_challenge, $privkey, $datafields, $charset);
+                    http_redirect($returl);
+                }
             }
         }
 
@@ -180,6 +182,7 @@ class AuthModule extends PLModule
         $table_editor->describe('name','nom',true);
         $table_editor->describe('privkey','clé privée',false);
         $table_editor->describe('datafields','champs renvoyés',true);
+        $table_editor->describe('returnurls','urls de retour',true);
         $table_editor->apply($page, $action, $id);
     }
 }
diff --git a/upgrade/0.9.17/07_auth_groupex.sql b/upgrade/0.9.17/07_auth_groupex.sql
new file mode 100644 (file)
index 0000000..881755a
--- /dev/null
+++ b/upgrade/0.9.17/07_auth_groupex.sql
@@ -0,0 +1,3 @@
+ALTER TABLE groupesx_auth ADD COLUMN returnurls VARCHAR(255) NOT NULL;
+
+# vim:set syntax=mysql:
plat/al