[phpwiki-checkins] CVS: phpwiki/lib WikiUser.php,1.4,1.5

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/phpwiki/phpwiki/lib
In directory usw-pr-cvs1:/tmp/cvs-serv22983/lib

Modified Files:
	WikiUser.php 
Log Message:
Kludgy patch to close a potential security hole.
(I think a carefully constructed cookie could be used to 
log in (as admin, even) without a password.)

I'll work on a longer term fix...

Index: WikiUser.php
===================================================================
RCS file: /cvsroot/phpwiki/phpwiki/lib/WikiUser.php,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -r1.4 -r1.5
*** WikiUser.php	2001/12/02 02:34:48	1.4
--- WikiUser.php	2001/12/06 20:44:13	1.5
***************
*** 23,26 ****
--- 23,37 ----

          // don't check for HTTP auth if there's nothing to worry about
+         //
+         // FIXME: the addition of this short-cut introduced a security hole.
+         //        Since $this->_restore can potentially restore $this from a
+         //        user provided cookie, a carefully constructed cookie can
+         //        be used to effectively log in (even as admin) without
+         //        a password.
+         //
+         //        For now, I'm disabling the code which saves/restores $this
+         //        in a cookie.  (Login state is still preserved in session vars.)
+         //        I'll work on a longer term solution.
+         
          if (  $this->state == 'authorized' 
                && $auth_mode != 'LOGIN' 
***************
*** 206,212 ****

          if ( $this->_copy($req->getSessionVar('auth_state')) )
-             return;
-         elseif ( $this->_copy($req->getCookieVar('WIKI_AUTH')) )
              return;
          else {
              // Default state.
--- 217,224 ----

          if ( $this->_copy($req->getSessionVar('auth_state')) )
              return;
+         // FIXME: Disable restore from cookie (see note in WikiUser().)
+         //elseif ( $this->_copy($req->getCookieVar('WIKI_AUTH')) )
+         //    return;
          else {
              // Default state.
***************
*** 221,225 ****

          $req->setSessionVar('auth_state', $this);
!         $req->setCookieVar('WIKI_AUTH', $this);
      }
  }
--- 233,238 ----

          $req->setSessionVar('auth_state', $this);
!         // FIXME: Disable restore from cookie (see note in WikiUser().)
!         //$req->setCookieVar('WIKI_AUTH', $this);
      }
  }