X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=cgi-auth-flexible.git;a=blobdiff_plain;f=cgi-auth-flexible.pm;h=21805cffd8057a177222a6177d3dd3113d6a2bb6;hp=73cc3e5594bcb94b32e4432518a8ae468245b53a;hb=48521dbb3f433c4a63df6564c4f095555a2dee95;hpb=bde070bdfcddb54a716ab7a1d09c648dc7ec7c7f;ds=sidebyside diff --git a/cgi-auth-flexible.pm b/cgi-auth-flexible.pm index 73cc3e5..21805cf 100644 --- a/cgi-auth-flexible.pm +++ b/cgi-auth-flexible.pm @@ -387,7 +387,8 @@ sub srcdump_dirscan_prepare ($$) { close $reportfh or die $!; srcdump_install($c,$v, $dumpdir, 'licence', 'text/plain'); $!=0; - my @cmd = (qw(tar -zvvcf), "$dumpdir/source.tmp", + my @cmd = (qw(sh -ec), 'exec >&2 "$@"', qw(x), + qw(tar -zvvcf), "$dumpdir/source.tmp", "-C", $dumpdir, qw( --), @srcfiles); my $r = system(@cmd); if ($r) { @@ -700,7 +701,6 @@ sub construct_cookie ($$$) { # any - POST nrmuoi bug or attack, fail # any - GET rmuoi bug or attack, fail # any any GET muoi bug or attack, fail - # any t any nrmu bug or attack, fail # # - - GET O "just logged out" page # (any other) O bug or attack, fail @@ -745,38 +745,38 @@ sub construct_cookie ($$$) { # revoke y2 # treat as y1 n POST # - # y n GET n intra-site link from stale page, + # y nt GET n intra-site link from stale page, # treat as cross-site link, show data # - # y n POST n m intra-site form submission from stale page + # y nt POST n m intra-site form submission from stale page # show "session interrupted" # with link to main data page # - # y n GET r intra-site request from stale page + # y nt GET r intra-site request from stale page # fail # - # y n POST r u intra-site request from stale page + # y nt POST r u intra-site request from stale page # fail # - # -/n y2 GET nr intra-site link from cleared session + # -n y2 GET nr intra-site link from cleared session # do not revoke y2 as not RESTful # treat as -/n n GET # - # -/n y2 POST nrmu request from cleared session + # -n y2 POST nrmu request from cleared session # revoke y2 # treat as -/n n POST # - # -/n -/n GET n cross-site link but user not logged in + # -nt -nt GET n cross-site link but user not logged in # show login form with redirect to orig params # generate fresh cookie # - # -/n n GET rmu user not logged in + # -nt nt GET rmu user not logged in # fail # - # -/n n POST n m user not logged in + # -nt nt POST n m user not logged in # show login form # - # -/n n POST r u user not logged in + # -nt nt POST r u user not logged in # fail sub _check_divert_core ($) { @@ -791,7 +791,8 @@ sub _check_divert_core ($) { Params => { } }); } - my $cooks = $r->_ch('get_cookie'); + my $cooksraw = $r->_ch('get_cookie'); + my $cooks = $r->_unblind($cooksraw); if ($r->{S}{encrypted_only} && !$r->_ch('is_https')) { return ({ Kind => 'REDIRECT-HTTPS', @@ -801,7 +802,8 @@ sub _check_divert_core ($) { } my $meth = $r->_ch('get_method'); - my $parmh = $r->_rp('assoc_param_name'); + my $parmhraw = $r->_rp('assoc_param_name'); + my $parmh = $r->_unblind($parmhraw); my $cookh = defined $cooks ? $r->hash($cooks) : undef; my ($cookt,$cooku) = $r->_identify($cookh, $cooks); @@ -841,7 +843,7 @@ sub _check_divert_core ($) { " enabled. You must enable cookies". " as we use them for login."), _CookieRaw => $r->_fresh_secret(), - Params => $r->_chain_params() }) + Params => $r->chain_params() }) } if (!$cookt || $cookt eq 'n' || $cookh ne $parmh) { $r->_db_revoke($cookh); @@ -859,18 +861,17 @@ sub _check_divert_core ($) { return ({ Kind => 'LOGIN-BAD', Message => $login_errormessage, _CookieRaw => $cooks, - Params => $r->_chain_params() }) + Params => $r->chain_params() }) } $r->_db_record_login_ok($parmh,$username); return ({ Kind => 'REDIRECT-LOGGEDIN', Message => $r->_gt("Logging in..."), _CookieRaw => $cooks, - Params => $r->_chain_params() }); + Params => $r->chain_params() }); } if ($cookt eq 't') { $cookt = ''; } - die if $parmt eq 't'; if ($cookt eq 'y' && $parmt eq 'y' && $cookh ne $parmh) { $r->_db_revoke($parmh) if $meth eq 'POST'; @@ -879,13 +880,13 @@ sub _check_divert_core ($) { if ($cookt ne 'y') { die unless !$cookt || $cookt eq 'n'; - die unless !$parmt || $parmt eq 'n' || $parmt eq 'y'; + die unless !$parmt || $parmt eq 't' || $parmt eq 'n' || $parmt eq 'y'; my $news = $r->_fresh_secret(); if ($meth eq 'GET') { return ({ Kind => 'LOGIN-INCOMINGLINK', Message => $r->_gt("You need to log in."), _CookieRaw => $news, - Params => $r->_chain_params() }); + Params => $r->chain_params() }); } else { $r->_db_revoke($parmh); return ({ Kind => 'LOGIN-FRESH', @@ -909,24 +910,25 @@ sub _check_divert_core ($) { die unless $cookt eq 'y'; unless ($r->{S}{promise_check_mutate} && $meth eq 'GET') { + if ($parmt eq 't' || $parmt eq 'n') { + return ({ Kind => 'STALE', + Message => $r->_gt("Login session interrupted."), + _CookieRaw => $cooks, + Params => { } }); + } die unless $parmt eq 'y'; die unless $cookh eq $parmh; } + $r->_db_update_last($cooku,$parmh); + $r->{ParmT} = $parmt; - $r->{AssocSecret} = $cooks; + $r->{AssocRaw} = $cooks; $r->{UserOK} = $cooku; #print STDERR "C-D-C OK\n"; return undef; } -sub _chain_params ($) { -# =item C<< $authreq->_chain_params() >> -# -# Returns a hash of the "relevant" parameters to this request, in a form -# used by C. This is all of the query parameters -# which are not related to CGI::Auth::Flexible. The PATH_INFO from the -# request is returned as the parameter C<< '' >>. - +sub chain_params ($) { my ($r) = @_; my %p = %{ $r->_ch('get_params') }; foreach my $pncn (keys %{ $r->{S} }) { @@ -1024,6 +1026,16 @@ sub _db_record_login_ok ($$$) { $h, $user, time); } +sub _db_update_last ($$) { + # revokes $h if it's valid; no-op if it's not + my ($r,$user,$h) = @_; + my $dbh = $r->{Dbh}; + $dbh->do("UPDATE $r->{S}{db_prefix}_assocs". + " SET last = ?". + " WHERE username = ? AND assochash = ?", {}, + time, $user, $h); +} + sub check_divert ($) { my ($r) = @_; if (exists $r->{Divert}) { @@ -1033,16 +1045,17 @@ sub check_divert ($) { $r->{Divert} = $r->_db_transaction(sub { $r->_check_divert_core(); }); $dbh->commit(); - my $cookraw = $r->{_CookieRaw}; - $r->{CookieSecret} = $$cookraw; + my $divert = $r->{Divert}; + my $cookraw = $divert && $divert->{_CookieRaw}; if ($cookraw) { - $r->{Params}{$r->{S}{assoc_param_name}} = [ - $r->hash($cookraw) + $divert->{CookieSecret} = $r->_blind($cookraw); + $divert->{Params}{$r->{S}{assoc_param_name}} = [ + $r->_blind($r->hash($cookraw)) ]; } - $r->_debug(Data::Dumper->Dump([$r->{Divert}],[qw(divert)])); - return $r->{Divert}; + $r->_debug(Data::Dumper->Dump([$divert],[qw(divert)])); + return $divert; } sub get_divert ($) { @@ -1126,6 +1139,10 @@ sub check_ok ($) { $title = $r->_gt('Not logged in'); push @body, $divert->{Message}; push @body, $r->_ch('gen_login_link', $params); + } elsif ($kind =~ m/^STALE/) { + $title = $r->_gt('Re-entering secure site.'); + push @body, $divert->{Message}; + push @body, $r->_ch('gen_postmainpage_form', $params); } elsif ($kind =~ m/^MAINPAGEONLY$/) { $title = $r->_gt('Entering secure site.'); push @body, $divert->{Message}; @@ -1159,6 +1176,40 @@ sub _random ($$) { return $out; } +sub _blind_len ($$) { + my ($r, $str) = @_; + return length($str =~ y/0-9a-f//cdr); +} + +sub _blind_combine ($$$) { + my ($r, $in, $mask) = @_; + my @mask = split //, $mask; + $in =~ s{[0-9a-f]}{ + my $m = shift @mask; + sprintf "%x", hex($m) ^ hex($&); + }ge; + return $in; +} + +sub _blind ($$) { + my ($r, $in) = @_; + return $in unless $in; + my $l = $r->_blind_len($in); + my $mask = $r->_random(($l+1)>>1); + $mask = substr $mask, 0, $l; + my $blound = $r->_blind_combine($in, $mask); + return "$blound.$mask"; +} + +sub _unblind ($$) { + my ($r, $in) = @_; + return $in unless $in; + my ($blound,$mask) = ($in =~ m#^(.*)\.([0-9a-f]+)$#) or die "$in ?"; + my $l = $r->_blind_len($blound); + $l == length($mask) or die "$in ?"; + return $r->_blind_combine($blound, $mask); +} + sub _random_key ($) { my ($r) = @_; #print STDERR "_random_key\n"; @@ -1331,7 +1382,7 @@ sub check_nonpage ($$) { my ($r, $reqtype) = @_; $r->_assert_checked(); return unless $r->resource_get_needs_secret_hidden($reqtype); - return if $r->{ParmT}; + return if $r->{ParmT} eq 'y'; die "missing hidden secret parameter on nonpage request $reqtype"; } @@ -1340,13 +1391,13 @@ sub check_nonpage ($$) { sub secret_cookie_val ($) { my ($r) = @_; $r->_assert_checked(); - return defined $r->{AssocSecret} ? $r->{AssocSecret} : ''; + return defined $r->{AssocRaw} ? $r->_blind($r->{AssocRaw}) : ''; } sub secret_hidden_val ($) { my ($r) = @_; $r->_assert_checked(); - return defined $r->{AssocSecret} ? $r->hash($r->{AssocSecret}) : ''; + return defined $r->{AssocRaw} ? $r->_blind($r->hash($r->{AssocRaw})) : ''; } sub secret_hidden_html ($) {