X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=cgi-auth-flexible.git;a=blobdiff_plain;f=cgi-auth-flexible.pm;h=21805cffd8057a177222a6177d3dd3113d6a2bb6;hp=137de002125ffd661342d9de22bcbcedcb50ed14;hb=48521dbb3f433c4a63df6564c4f095555a2dee95;hpb=0e3eb3aef176eac1e7209f01ad73e2e91f782507 diff --git a/cgi-auth-flexible.pm b/cgi-auth-flexible.pm index 137de00..21805cf 100644 --- a/cgi-auth-flexible.pm +++ b/cgi-auth-flexible.pm @@ -31,8 +31,6 @@ BEGIN { @ISA = qw(Exporter); @EXPORT = qw(); %EXPORT_TAGS = ( ); # eg: TAG => [ qw!name1 name2! ], - - @EXPORT_OK = qw(); } our @EXPORT_OK; @@ -77,10 +75,11 @@ sub has_a_param ($$) { sub get_params ($) { my ($r) = @_; - my %p; my $c = $r->{Cgi}; - foreach my $name ($c->param()) { - $p{$name} = [ $c->param($name) ]; + my $vars = $c->Vars(); + my %p; + foreach my $name (keys %$vars) { + $p{$name} = [ split "\0", $vars->{$name} ]; } return \%p; } @@ -281,8 +280,9 @@ sub srcdump_novcs ($$$$$) { sub srcdump_byvcs ($$$$$$) { my ($c, $v, $dumpdir, $dir, $outfn, $vcs) = @_; #print STDERR "BYVCS GIT $dir\n"; - return srcdump_dir_cpio($c,$v,$dumpdir,$dir,$outfn,$vcs, - $v->{S}{"srcdump_vcsscript_$vcs"}); + my $script = $v->{S}{"srcdump_vcsscript"}{$vcs}; + die "no script for vcs $vcs" unless defined $script; + return srcdump_dir_cpio($c,$v,$dumpdir,$dir,$outfn,$vcs,$script); } sub srcdump_file ($$$$) { @@ -353,6 +353,7 @@ sub srcdump_dirscan_prepare ($$) { }; my %dirsdone; foreach my $item ($v->_ch('srcdump_listitems')) { + next unless defined $item; if ($item eq '.' && $v->{S}{srcdump_filter_cwd}) { my @bad = grep { !m#^/# } values %INC; die "filtering . from srcdump items and \@INC but already". @@ -386,7 +387,8 @@ sub srcdump_dirscan_prepare ($$) { close $reportfh or die $!; srcdump_install($c,$v, $dumpdir, 'licence', 'text/plain'); $!=0; - my @cmd = (qw(tar -zvvcf), "$dumpdir/source.tmp", + my @cmd = (qw(sh -ec), 'exec >&2 "$@"', qw(x), + qw(tar -zvvcf), "$dumpdir/source.tmp", "-C", $dumpdir, qw( --), @srcfiles); my $r = system(@cmd); if ($r) { @@ -417,14 +419,14 @@ sub new_verifier { my $verifier = { S => { dir => undef, - assocdb_dbh => undef, # must have AutoCommit=0, RaiseError=1 - assocdb_path => 'caf-assocs.db', + db_dbh => undef, # must have AutoCommit=0, RaiseError=1 + db_path => 'caf.db', keys_path => 'caf-keys', srcdump_path => 'caf-srcdump', - assocdb_dsn => undef, - assocdb_user => '', - assocdb_password => '', - assocdb_table => 'caf_assocs', + db_dsn => undef, + db_user => '', + db_password => '', + db_prefix => 'caf', random_source => '/dev/urandom', secretbits => 128, # bits hash_algorithm => "SHA-256", @@ -446,14 +448,13 @@ sub new_verifier { get_path_info => sub { $_[0]->path_info() }, get_cookie => sub { $_[0]->cookie($_[1]->{S}{cookie_name}) }, get_method => sub { $_[0]->request_method() }, - check_https => sub { !!$_[0]->https() }, + is_https => sub { !!$_[0]->https() }, get_url => sub { $_[0]->url(); }, is_login => sub { defined $_[1]->_rp('password_param_name') }, login_ok => \&login_ok_password, username_password_error => sub { die }, is_logout => sub { $_[1]->has_a_param('logout_param_names') }, is_loggedout => sub { $_[1]->has_a_param('loggedout_param_names') }, - is_page => sub { return 1 }, handle_divert => sub { return 0 }, do_redirect => \&do_redirect_cgi, # this hook is allowed to throw cookie_path => "/", @@ -477,16 +478,12 @@ sub new_verifier { $_[2] =~ m#^/etc/|^/usr/(?!local/)(?!lib/cgi)#; }, srcdump_process_item => \&srcdump_process_item, - srcdump_vcs_dirs => [qw(.git .hg .bzr .svn CVS)], - srcdump_vcsscript_git => " + srcdump_vcs_dirs => [qw(.git .hg .bzr .svn)], + srcdump_vcsscript => {git => " git ls-files -z git ls-files -z --others --exclude-from=.gitignore find .git -print0 - ", - srcdump_vcsscript_hg => "false hg", - srcdump_vcsscript_bzr => "false bzr", - srcdump_vcsscript_svn => "false svn", - srcdump_vcsscript_cvs => "false cvs", + "}, srcdump_byvcs => \&srcdump_byvcs, srcdump_novcs => \&srcdump_novcs, srcdump_excludes => [qw(*~ *.bak *.tmp), '#*#'], @@ -504,6 +501,17 @@ sub new_verifier { exists $verifier->{S}{$k}; $verifier->{S}{$k} = $v; } + $verifier->{S}{db_setup_stmts} //= + ["CREATE TABLE $verifier->{S}{db_prefix}_assocs (". + " assochash VARCHAR PRIMARY KEY,". + " username VARCHAR NOT NULL,". + " last INTEGER NOT NULL". + ")" + , + "CREATE INDEX $verifier->{S}{db_prefix}_assocs_timeout_index". + " ON $verifier->{S}{db_prefix}_assocs". + " (last)" + ]; bless $verifier, $class; $verifier->_dbopen(); $verifier->_ch('srcdump_prepare'); @@ -526,17 +534,17 @@ sub _dbopen ($) { my $dbh = $v->{Dbh}; return $dbh if $dbh; - $dbh = $v->{S}{assocdb_dbh}; + $dbh = $v->{S}{db_dbh}; if ($dbh) { die if $dbh->{AutoCommit}; die unless $dbh->{RaiseError}; } else { - $v->{S}{assocdb_dsn} ||= "dbi:SQLite:dbname=".$v->_get_path('assocdb'); - my $dsn = $v->{S}{assocdb_dsn}; + $v->{S}{db_dsn} ||= "dbi:SQLite:dbname=".$v->_get_path('db'); + my $dsn = $v->{S}{db_dsn}; my $u = umask 077; - $dbh = DBI->connect($dsn, $v->{S}{assocdb_user}, - $v->{S}{assocdb_password}, { + $dbh = DBI->connect($dsn, $v->{S}{db_user}, + $v->{S}{db_password}, { AutoCommit => 0, RaiseError => 1, ShowErrorStatement => 1, @@ -546,14 +554,9 @@ sub _dbopen ($) { } $v->{Dbh} = $dbh; - $v->_db_setup_do("CREATE TABLE $v->{S}{assocdb_table} (". - " assochash VARCHAR PRIMARY KEY,". - " username VARCHAR NOT NULL,". - " last INTEGER NOT NULL". - ")"); - $v->_db_setup_do("CREATE INDEX $v->{S}{assocdb_table}_timeout_index". - " ON $v->{S}{assocdb_table}". - " (last)"); + foreach my $stmt (@{ $v->{S}{db_setup_stmts} }) { + $v->_db_setup_do($stmt); + } return $dbh; } @@ -654,12 +657,14 @@ sub construct_cookie ($$$) { my ($r, $cooks) = @_; return undef unless $cooks; my $c = $r->{Cgi}; -my @ca = (-name => $r->{S}{cookie_name}, - -value => $cooks, - -path => $r->{S}{cookie_path}, - -domain => $r->_ch('get_cookie_domain'), - -expires => '+'.$r->{S}{login_timeout}.'s', - -secure => $r->{S}{encrypted_only}); + my @ca = ( + -name => $r->{S}{cookie_name}, + -value => $cooks, + -path => $r->{S}{cookie_path}, + -domain => $r->_ch('get_cookie_domain'), + -expires => '+'.$r->{S}{login_timeout}.'s', + -secure => $r->{S}{encrypted_only} + ); my $cookie = $c->cookie(@ca); #print STDERR "CC $r $c $cooks $cookie (@ca).\n"; return $cookie; @@ -696,7 +701,6 @@ my @ca = (-name => $r->{S}{cookie_name}, # any - POST nrmuoi bug or attack, fail # any - GET rmuoi bug or attack, fail # any any GET muoi bug or attack, fail - # any t any nrmu bug or attack, fail # # - - GET O "just logged out" page # (any other) O bug or attack, fail @@ -741,38 +745,38 @@ my @ca = (-name => $r->{S}{cookie_name}, # revoke y2 # treat as y1 n POST # - # y n GET n intra-site link from stale page, + # y nt GET n intra-site link from stale page, # treat as cross-site link, show data # - # y n POST n m intra-site form submission from stale page + # y nt POST n m intra-site form submission from stale page # show "session interrupted" # with link to main data page # - # y n GET r intra-site request from stale page + # y nt GET r intra-site request from stale page # fail # - # y n POST r u intra-site request from stale page + # y nt POST r u intra-site request from stale page # fail # - # -/n y2 GET nr intra-site link from cleared session + # -n y2 GET nr intra-site link from cleared session # do not revoke y2 as not RESTful # treat as -/n n GET # - # -/n y2 POST nrmu request from cleared session + # -n y2 POST nrmu request from cleared session # revoke y2 # treat as -/n n POST # - # -/n -/n GET n cross-site link but user not logged in + # -nt -nt GET n cross-site link but user not logged in # show login form with redirect to orig params # generate fresh cookie # - # -/n n GET rmu user not logged in + # -nt nt GET rmu user not logged in # fail # - # -/n n POST n m user not logged in + # -nt nt POST n m user not logged in # show login form # - # -/n n POST r u user not logged in + # -nt nt POST r u user not logged in # fail sub _check_divert_core ($) { @@ -783,21 +787,23 @@ sub _check_divert_core ($) { die if $srcdump =~ m/\W/; return ({ Kind => 'SRCDUMP-'.uc $srcdump, Message => undef, - CookieSecret => undef, + _CookieRaw => undef, Params => { } }); } - my $cooks = $r->_ch('get_cookie'); + my $cooksraw = $r->_ch('get_cookie'); + my $cooks = $r->_unblind($cooksraw); - if ($r->{S}{encrypted_only} && !$r->_ch('check_https')) { + if ($r->{S}{encrypted_only} && !$r->_ch('is_https')) { return ({ Kind => 'REDIRECT-HTTPS', Message => $r->_gt("Redirecting to secure server..."), - CookieSecret => undef, + _CookieRaw => undef, Params => { } }); } my $meth = $r->_ch('get_method'); - my $parmh = $r->_rp('assoc_param_name'); + my $parmhraw = $r->_rp('assoc_param_name'); + my $parmh = $r->_unblind($parmhraw); my $cookh = defined $cooks ? $r->hash($cooks) : undef; my ($cookt,$cooku) = $r->_identify($cookh, $cooks); @@ -814,8 +820,10 @@ sub _check_divert_core ($) { $r->_db_revoke($parmh); return ({ Kind => 'REDIRECT-LOGGEDOUT', Message => $r->_gt("Logging out..."), - CookieSecret => '', - Params => { } }); + _CookieRaw => '', + Params => { + $r->{S}{loggedout_param_names}[0] => [ 1 ], + } }); } if ($r->_ch('is_loggedout')) { die unless $meth eq 'GET'; @@ -823,7 +831,7 @@ sub _check_divert_core ($) { die if $parmt; return ({ Kind => 'SMALLPAGE-LOGGEDOUT', Message => $r->_gt("You have been logged out."), - CookieSecret => '', + _CookieRaw => '', Params => { } }); } if ($r->_ch('is_login')) { @@ -834,7 +842,7 @@ sub _check_divert_core ($) { Message => $r->_gt("You do not seem to have cookies". " enabled. You must enable cookies". " as we use them for login."), - CookieSecret => $r->_fresh_secret(), + _CookieRaw => $r->_fresh_secret(), Params => $r->chain_params() }) } if (!$cookt || $cookt eq 'n' || $cookh ne $parmh) { @@ -842,7 +850,7 @@ sub _check_divert_core ($) { return ({ Kind => 'LOGIN-STALE', Message => $r->_gt("Stale session;". " you need to log in again."), - CookieSecret => $r->_fresh_secret(), + _CookieRaw => $r->_fresh_secret(), Params => { } }) } die unless $parmt eq 't' || $parmt eq 'y'; @@ -852,19 +860,18 @@ sub _check_divert_core ($) { if !$login_errormessage; return ({ Kind => 'LOGIN-BAD', Message => $login_errormessage, - CookieSecret => $cooks, + _CookieRaw => $cooks, Params => $r->chain_params() }) } $r->_db_record_login_ok($parmh,$username); return ({ Kind => 'REDIRECT-LOGGEDIN', Message => $r->_gt("Logging in..."), - CookieSecret => $cooks, + _CookieRaw => $cooks, Params => $r->chain_params() }); } if ($cookt eq 't') { $cookt = ''; } - die if $parmt eq 't'; if ($cookt eq 'y' && $parmt eq 'y' && $cookh ne $parmh) { $r->_db_revoke($parmh) if $meth eq 'POST'; @@ -873,18 +880,18 @@ sub _check_divert_core ($) { if ($cookt ne 'y') { die unless !$cookt || $cookt eq 'n'; - die unless !$parmt || $parmt eq 'n' || $parmt eq 'y'; + die unless !$parmt || $parmt eq 't' || $parmt eq 'n' || $parmt eq 'y'; my $news = $r->_fresh_secret(); if ($meth eq 'GET') { return ({ Kind => 'LOGIN-INCOMINGLINK', Message => $r->_gt("You need to log in."), - CookieSecret => $news, + _CookieRaw => $news, Params => $r->chain_params() }); } else { $r->_db_revoke($parmh); return ({ Kind => 'LOGIN-FRESH', Message => $r->_gt("You need to log in."), - CookieSecret => $news, + _CookieRaw => $news, Params => { } }); } } @@ -893,7 +900,7 @@ sub _check_divert_core ($) { if ($meth ne 'POST') { return ({ Kind => 'MAINPAGEONLY', Message => $r->_gt('Entering via cross-site link.'), - CookieSecret => $cooks, + _CookieRaw => $cooks, Params => { } }); # NB caller must then ignore params & path! # if this is too hard they can spit out a small form @@ -903,11 +910,19 @@ sub _check_divert_core ($) { die unless $cookt eq 'y'; unless ($r->{S}{promise_check_mutate} && $meth eq 'GET') { + if ($parmt eq 't' || $parmt eq 'n') { + return ({ Kind => 'STALE', + Message => $r->_gt("Login session interrupted."), + _CookieRaw => $cooks, + Params => { } }); + } die unless $parmt eq 'y'; die unless $cookh eq $parmh; } + $r->_db_update_last($cooku,$parmh); + $r->{ParmT} = $parmt; - $r->{AssocSecret} = $cooks; + $r->{AssocRaw} = $cooks; $r->{UserOK} = $cooku; #print STDERR "C-D-C OK\n"; return undef; @@ -952,12 +967,12 @@ sub _identify ($$) { my $dbh = $r->{Dbh}; - $dbh->do("DELETE FROM $r->{S}{assocdb_table}". + $dbh->do("DELETE FROM $r->{S}{db_prefix}_assocs". " WHERE last < ?", {}, time - $r->{S}{login_timeout}); my $row = $dbh->selectrow_arrayref("SELECT username, last". - " FROM $r->{S}{assocdb_table}". + " FROM $r->{S}{db_prefix}_assocs". " WHERE assochash = ?", {}, $h); if (defined $row) { #print STDERR "_identify h=$h s=$s YES @$row\n"; @@ -998,7 +1013,7 @@ sub _db_revoke ($$) { my $dbh = $r->{Dbh}; - $dbh->do("DELETE FROM $r->{S}{assocdb_table}". + $dbh->do("DELETE FROM $r->{S}{db_prefix}_assocs". " WHERE assochash = ?", {}, $h); } @@ -1006,11 +1021,21 @@ sub _db_record_login_ok ($$$) { my ($r,$h,$user) = @_; $r->_db_revoke($h); my $dbh = $r->{Dbh}; - $dbh->do("INSERT INTO $r->{S}{assocdb_table}". + $dbh->do("INSERT INTO $r->{S}{db_prefix}_assocs". " (assochash, username, last) VALUES (?,?,?)", {}, $h, $user, time); } +sub _db_update_last ($$) { + # revokes $h if it's valid; no-op if it's not + my ($r,$user,$h) = @_; + my $dbh = $r->{Dbh}; + $dbh->do("UPDATE $r->{S}{db_prefix}_assocs". + " SET last = ?". + " WHERE username = ? AND assochash = ?", {}, + time, $user, $h); +} + sub check_divert ($) { my ($r) = @_; if (exists $r->{Divert}) { @@ -1019,8 +1044,18 @@ sub check_divert ($) { my $dbh = $r->{Dbh}; $r->{Divert} = $r->_db_transaction(sub { $r->_check_divert_core(); }); $dbh->commit(); - $r->_debug(Data::Dumper->Dump([$r->{Divert}],[qw(divert)])); - return $r->{Divert}; + + my $divert = $r->{Divert}; + my $cookraw = $divert && $divert->{_CookieRaw}; + if ($cookraw) { + $divert->{CookieSecret} = $r->_blind($cookraw); + $divert->{Params}{$r->{S}{assoc_param_name}} = [ + $r->_blind($r->hash($cookraw)) + ]; + } + + $r->_debug(Data::Dumper->Dump([$divert],[qw(divert)])); + return $divert; } sub get_divert ($) { @@ -1042,8 +1077,7 @@ sub url_with_query_params ($$;$) { my $uri = URI->new($r->_ch('get_url')); $uri->path($uri->path() . $params->{''}[0]) if $params->{''}; my @flatparams = flatten_params($params); - if (defined $nonpagetype - && $r->nonpage_get_needs_secret_hidden($nonpagetype)) { + if (defined $nonpagetype && $r->need_add_hidden('GET',$nonpagetype)) { push @flatparams, $r->{S}{assoc_param_name}, $r->secret_hidden_val(); } $uri->query_form(@flatparams); @@ -1078,12 +1112,9 @@ sub check_ok ($) { } if ($kind =~ m/^REDIRECT-/) { - # for redirects, we honour stored NextParams and SetCookie, + # for redirects, we honour stored Params and Cookie, # as we would for non-divert if ($kind eq 'REDIRECT-LOGGEDOUT') { - $params->{$r->{S}{loggedout_param_names}[0]} = [ 1 ]; - } elsif ($kind eq 'REDIRECT-LOGOUT') { - $params->{$r->{S}{logout_param_names}[0]} = [ 1 ]; } elsif ($kind =~ m/REDIRECT-(?:LOGGEDIN|HTTPS)/) { } else { die; @@ -1099,10 +1130,6 @@ sub check_ok ($) { return 0; } - if (defined $cookiesecret) { - $params->{$r->{S}{assoc_param_name}} = [ $r->hash($cookiesecret) ]; - } - my ($title, @body); if ($kind =~ m/^LOGIN-/) { $title = $r->_gt('Login'); @@ -1112,6 +1139,10 @@ sub check_ok ($) { $title = $r->_gt('Not logged in'); push @body, $divert->{Message}; push @body, $r->_ch('gen_login_link', $params); + } elsif ($kind =~ m/^STALE/) { + $title = $r->_gt('Re-entering secure site.'); + push @body, $divert->{Message}; + push @body, $r->_ch('gen_postmainpage_form', $params); } elsif ($kind =~ m/^MAINPAGEONLY$/) { $title = $r->_gt('Entering secure site.'); push @body, $divert->{Message}; @@ -1145,6 +1176,40 @@ sub _random ($$) { return $out; } +sub _blind_len ($$) { + my ($r, $str) = @_; + return length($str =~ y/0-9a-f//cdr); +} + +sub _blind_combine ($$$) { + my ($r, $in, $mask) = @_; + my @mask = split //, $mask; + $in =~ s{[0-9a-f]}{ + my $m = shift @mask; + sprintf "%x", hex($m) ^ hex($&); + }ge; + return $in; +} + +sub _blind ($$) { + my ($r, $in) = @_; + return $in unless $in; + my $l = $r->_blind_len($in); + my $mask = $r->_random(($l+1)>>1); + $mask = substr $mask, 0, $l; + my $blound = $r->_blind_combine($in, $mask); + return "$blound.$mask"; +} + +sub _unblind ($$) { + my ($r, $in) = @_; + return $in unless $in; + my ($blound,$mask) = ($in =~ m#^(.*)\.([0-9a-f]+)$#) or die "$in ?"; + my $l = $r->_blind_len($blound); + $l == length($mask) or die "$in ?"; + return $r->_blind_combine($blound, $mask); +} + sub _random_key ($) { my ($r) = @_; #print STDERR "_random_key\n"; @@ -1286,30 +1351,28 @@ sub check_mutate ($) { $r->_must_be_post(); } -sub mutate_ok ($) { - my ($r) = @_; - $r->_assert_checked(); - die if $r->{Divert}; - return $r->_is_post(); -} - our %_resource_get_needs_secret_hidden = (map { $_ => 0 } qw(PAGE FRAME IFRAME SRCDUMP STYLESHEET FAVICON ROBOTS), map { $_ => 1 } qw(IMAGE SCRIPT AJAX-XML AJAX-JSON AJAX-OTHER)); -sub update_get_need_add_hidden ($$) { - my ($r, $reqtype, $value) = @_; +sub update_get_need_add_hidden ($$;$) { + my ($r, $reqtype, $value, $force) = @_; my $hash = ref $r ? ($r->{GetNeedsSecretHidden} ||= { }) : \%_resource_get_needs_secret_hidden; + return if !$force && + (exists $_resource_get_needs_secret_hidden{$reqtype} || + exists $hash->{$reqtype}); $hash->{$reqtype} = $value; } sub need_add_hidden ($$) { my ($r, $method, $reqtype) = @_; return 1 if $method ne 'GET'; - my $ent = $r->{GetNeedsSecretHidden}{$reqtype}; - return $ent if defined $ent; + if (ref $r) { + my $ent = $r->{GetNeedsSecretHidden}{$reqtype}; + return $ent if defined $ent; + } my $ent = $_resource_get_needs_secret_hidden{$reqtype}; return $ent if defined $ent; die "unsupported nonpage GET type $reqtype"; @@ -1318,9 +1381,9 @@ sub need_add_hidden ($$) { sub check_nonpage ($$) { my ($r, $reqtype) = @_; $r->_assert_checked(); - return unless $r->resource_get_needs_secret_hidden($nonpagetype); - return if $r->{ParmT}; - die "missing hidden secret parameter on nonpage request $nonpagetype"; + return unless $r->resource_get_needs_secret_hidden($reqtype); + return if $r->{ParmT} eq 'y'; + die "missing hidden secret parameter on nonpage request $reqtype"; } #---------- output ---------- @@ -1328,13 +1391,13 @@ sub check_nonpage ($$) { sub secret_cookie_val ($) { my ($r) = @_; $r->_assert_checked(); - return defined $r->{AssocSecret} ? $r->{AssocSecret} : ''; + return defined $r->{AssocRaw} ? $r->_blind($r->{AssocRaw}) : ''; } sub secret_hidden_val ($) { my ($r) = @_; $r->_assert_checked(); - return defined $r->{AssocSecret} ? $r->hash($r->{AssocSecret}) : ''; + return defined $r->{AssocRaw} ? $r->_blind($r->hash($r->{AssocRaw})) : ''; } sub secret_hidden_html ($) {