From: Mark Wooding Date: Thu, 31 Dec 2015 21:02:28 +0000 (+0000) Subject: cgi/actions.c, lib/client*.[ch]: Don't use priv connection to check passwd. X-Git-Tag: 5.2~72 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/disorder/commitdiff_plain/ff92debd29cab62e0f824ca3e40914f64e0bcb05?hp=ff92debd29cab62e0f824ca3e40914f64e0bcb05 cgi/actions.c, lib/client*.[ch]: Don't use priv connection to check passwd. If the CGI runs as the main `jukebox' user, then it can connect using the special `.../private/socket', and the `find_server' function arranges to do this if it can and no network address has been assigned in the configuration. The server doesn't bother to check passwords from clients on privileged connections. The result is that if the CGI program runs as the `jukebox' user, its attempt to check the end-user's password through the usual login machinery is stymied, since the library automatically sets up a privileged connection and then the server ignores the password entirely. The end result is that, if you set things up in this way, anyone can log into the CGI program with any known user and any password at all, at which point they're given a cookie which can be used in direct communication with the server. Fix this as follows. * Introduce a new version (in the correct namespace for a change) of `find_server' which accepts some flags to guide the choice of server addresses. * Add a flag for the new `disorder_find_server' function to prevent trying the privileged socket. * Add a function to the client interface (and a bit of state to the client structure) to instruct the connection functions not to use a privileged connection even if they can. * Get the CGI program to use this new function when logging in with a password, so that it will always be checked. Cookies are checked properly, even from privileged clients, so there's nothing to fix there. ---