From: Ian Jackson Date: Wed, 28 Oct 2015 16:29:50 +0000 (+0000) Subject: Introduce STALE divert kind X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ian/git?a=commitdiff_plain;h=bb1bc2bb5d3905f75b27ea39fc9bce77ae46ebe4;p=cgi-auth-flexible.git Introduce STALE divert kind This is discussed in the algorithm comment in _check_divert_core, but was not implemented. Sadly this means we were missing a divert kind - however, apps which don't handle it should die if they don't understand the divert kind, which is what we did ourselves previously. Signed-off-by: Ian Jackson --- diff --git a/caf.pod b/caf.pod index ab45ac0..88b6b0f 100644 --- a/caf.pod +++ b/caf.pod @@ -725,6 +725,28 @@ We should generate a login form. The user is not yet logged in. We should redirect to our actual application, with the specified parameters. (The user has just logged in.) +=item C + +The user is logged in but the incoming form submission looks like it +was from a stale login session. Alternatively, it may have been +generated by an attacker's cross-site-scripting attack. + +Naive applications should generate a small page with a form or link to +our own main page without any parameters. + +A sophisticated application could infer from the submitted form +parameters what the user was allegedly trying to do. We could then +generate a fresh page showing what the intended action was, with a +fresh form which (if the user confirm) would resubmit that action. +B must be taken to avoid relying on the sanity and +coherence of the incoming form parameters. We B simply +reproduce the incoming parameters in the new form. It is essential +that the visual appearance of the generated form correctly shows to +the user what the action is that will be taken if the form is +submitted. If that action is dangerous, the form should not look like +the kind of confirmation pages which the user is likely to simply +click through without thinking. + =item C We should generate our main page but B diff --git a/cgi-auth-flexible.pm b/cgi-auth-flexible.pm index e52441b..bdb96c6 100644 --- a/cgi-auth-flexible.pm +++ b/cgi-auth-flexible.pm @@ -910,6 +910,12 @@ sub _check_divert_core ($) { die unless $cookt eq 'y'; unless ($r->{S}{promise_check_mutate} && $meth eq 'GET') { + if ($parmt eq 't' || $parmt eq 'n') { + return ({ Kind => 'STALE', + Message => $r->_gt("Login session interrupted."), + _CookieRaw => $cooks, + Params => { } }); + } die unless $parmt eq 'y'; die unless $cookh eq $parmh; } @@ -1121,6 +1127,10 @@ sub check_ok ($) { $title = $r->_gt('Not logged in'); push @body, $divert->{Message}; push @body, $r->_ch('gen_login_link', $params); + } elsif ($kind =~ m/^STALE/) { + $title = $r->_gt('Re-entering secure site.'); + push @body, $divert->{Message}; + push @body, $r->_ch('gen_postmainpage_form', $params); } elsif ($kind =~ m/^MAINPAGEONLY$/) { $title = $r->_gt('Entering secure site.'); push @body, $divert->{Message};