From: Vincent Zanotti Date: Sat, 11 Oct 2008 18:58:47 +0000 (+0200) Subject: Fixes a security hole that did allow a third party website to reuse a valid X-Git-Tag: xorg/0.9.17~11 X-Git-Url: http://git.polytechnique.org/?a=commitdiff_plain;h=e10bc2efb2f84bb7f503d9abb458d730535e5286;p=platal.git Fixes a security hole that did allow a third party website to reuse a valid (challenge, response) pair. This pair, obtainable externally from an approved groupex website, enabled it to discover personal information from Xs with a permanent/valid cookie on Xorg. The fix forces return url to match a defined regexp; backward compatibility is retained, though the hole won't be fixed until all entries in groupex_auth are added a non-empty return url regexp. Signed-off-by: Vincent Zanotti --- diff --git a/modules/auth.php b/modules/auth.php index ca07e32..79f495d 100644 --- a/modules/auth.php +++ b/modules/auth.php @@ -159,12 +159,14 @@ class AuthModule extends PLModule } /* on parcourt les entrees de groupes_auth */ - $res = XDB::iterRow('SELECT privkey, name, datafields FROM groupesx_auth'); + $res = XDB::iterRow('SELECT privkey, name, datafields, returnurls FROM groupesx_auth'); - while (list($privkey,$name,$datafields) = $res->next()) { + while (list($privkey,$name,$datafields,$returnurls) = $res->next()) { if (md5($gpex_challenge.$privkey) == $gpex_pass) { - $returl = $gpex_url . gpex_make_params($gpex_challenge, $privkey, $datafields, $charset); - http_redirect($returl); + if ($returnurls == "" || @preg_match($returnurls, $gpex_url)) { + $returl = $gpex_url . gpex_make_params($gpex_challenge, $privkey, $datafields, $charset); + http_redirect($returl); + } } } @@ -180,6 +182,7 @@ class AuthModule extends PLModule $table_editor->describe('name','nom',true); $table_editor->describe('privkey','clé privée',false); $table_editor->describe('datafields','champs renvoyés',true); + $table_editor->describe('returnurls','urls de retour',true); $table_editor->apply($page, $action, $id); } } diff --git a/upgrade/0.9.17/07_auth_groupex.sql b/upgrade/0.9.17/07_auth_groupex.sql new file mode 100644 index 0000000..881755a --- /dev/null +++ b/upgrade/0.9.17/07_auth_groupex.sql @@ -0,0 +1,3 @@ +ALTER TABLE groupesx_auth ADD COLUMN returnurls VARCHAR(255) NOT NULL; + +# vim:set syntax=mysql: