From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Wed, 28 Oct 2015 16:22:24 +0000 (+0000)
Subject: _check_divert_core: Change handling of $parmt=='t'
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=cgi-auth-flexible.git;a=commitdiff_plain;h=b93e3cc7eae3bfc87474afb3be8458647f61a2aa

_check_divert_core: Change handling of $parmt=='t'

This can mean that the form parameter refers to a cookie now deleted
from the db: ie one relating to a previous user session.

This is not a bug or (necessariloy) an attack; it might simply mean
that the submission comes from a page generated in a previous login
session.

So handle this case the same way as $parmt=='n' (ie, expired hidden
parameter value).  (Double-checked by searching the function beyond
that point for references to parmt.)

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---

diff --git a/cgi-auth-flexible.pm b/cgi-auth-flexible.pm
index a297519..5e5d044 100644
--- a/cgi-auth-flexible.pm
+++ b/cgi-auth-flexible.pm
@@ -701,7 +701,6 @@ sub construct_cookie ($$$) {
     #  any -   POST  nrmuoi   bug or attack, fail
     #  any -   GET    rmuoi   bug or attack, fail
     #  any any GET     muoi   bug or attack, fail
-    #  any t   any   nrmu     bug or attack, fail
     #
     #  -   -   GET         O  "just logged out" page
     #  (any other)         O  bug or attack, fail
@@ -746,17 +745,17 @@ sub construct_cookie ($$$) {
     #                           revoke y2
     #                           treat as   y1 n POST
     #
-    #  y   n   GET   n        intra-site link from stale page,
+    #  y   nt  GET   n        intra-site link from stale page,
     #                           treat as cross-site link, show data
     #
-    #  y   n   POST  n m      intra-site form submission from stale page
+    #  y   nt  POST  n m      intra-site form submission from stale page
     #                           show "session interrupted"
     #                           with link to main data page
     #
-    #  y   n   GET    r       intra-site request from stale page
+    #  y   nt  GET    r       intra-site request from stale page
     #                           fail
     #
-    #  y   n   POST   r u     intra-site request from stale page
+    #  y   nt  POST   r u     intra-site request from stale page
     #                           fail
     #
     #  -/n y2  GET   nr       intra-site link from cleared session
@@ -767,17 +766,17 @@ sub construct_cookie ($$$) {
     #                           revoke y2
     #                           treat as   -/n n POST
     #
-    #  -/n -/n GET   n        cross-site link but user not logged in
+    #  -nt -nt GET   n        cross-site link but user not logged in
     #                           show login form with redirect to orig params
     #                           generate fresh cookie
     #
-    #  -/n n   GET    rmu     user not logged in
+    #  -nt nt  GET    rmu     user not logged in
     #                           fail
     #
-    #  -/n n   POST  n m      user not logged in
+    #  -nt nt  POST  n m      user not logged in
     #                           show login form
     #
-    #  -/n n   POST   r u     user not logged in
+    #  -nt nt  POST   r u     user not logged in
     #                           fail
 
 sub _check_divert_core ($) {
@@ -873,7 +872,6 @@ sub _check_divert_core ($) {
     if ($cookt eq 't') {
 	$cookt = '';
     }
-    die if $parmt eq 't';
 
     if ($cookt eq 'y' && $parmt eq 'y' && $cookh ne $parmh) {
 	$r->_db_revoke($parmh) if $meth eq 'POST';
@@ -882,7 +880,7 @@ sub _check_divert_core ($) {
 
     if ($cookt ne 'y') {
 	die unless !$cookt || $cookt eq 'n';
-	die unless !$parmt || $parmt eq 'n' || $parmt eq 'y';
+	die unless !$parmt || $parmt eq 't' || $parmt eq 'n' || $parmt eq 'y';
 	my $news = $r->_fresh_secret();
 	if ($meth eq 'GET') {
 	    return ({ Kind => 'LOGIN-INCOMINGLINK',