Update of /cvsroot/phpwiki/phpwiki/lib
In directory usw-pr-cvs1:/tmp/cvs-serv22983/lib
Modified Files:
WikiUser.php
Log Message:
Kludgy patch to close a potential security hole.
(I think a carefully constructed cookie could be used to
log in (as admin, even) without a password.)
I'll work on a longer term fix...
Index: WikiUser.php
===================================================================
RCS file: /cvsroot/phpwiki/phpwiki/lib/WikiUser.php,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -r1.4 -r1.5
*** WikiUser.php 2001/12/02 02:34:48 1.4
--- WikiUser.php 2001/12/06 20:44:13 1.5
***************
*** 23,26 ****
--- 23,37 ----
// don't check for HTTP auth if there's nothing to worry about
+ //
+ // FIXME: the addition of this short-cut introduced a security hole.
+ // Since $this->_restore can potentially restore $this from a
+ // user provided cookie, a carefully constructed cookie can
+ // be used to effectively log in (even as admin) without
+ // a password.
+ //
+ // For now, I'm disabling the code which saves/restores $this
+ // in a cookie. (Login state is still preserved in session vars.)
+ // I'll work on a longer term solution.
+
if ( $this->state == 'authorized'
&& $auth_mode != 'LOGIN'
***************
*** 206,212 ****
if ( $this->_copy($req->getSessionVar('auth_state')) )
- return;
- elseif ( $this->_copy($req->getCookieVar('WIKI_AUTH')) )
return;
else {
// Default state.
--- 217,224 ----
if ( $this->_copy($req->getSessionVar('auth_state')) )
return;
+ // FIXME: Disable restore from cookie (see note in WikiUser().)
+ //elseif ( $this->_copy($req->getCookieVar('WIKI_AUTH')) )
+ // return;
else {
// Default state.
***************
*** 221,225 ****
$req->setSessionVar('auth_state', $this);
! $req->setCookieVar('WIKI_AUTH', $this);
}
}
--- 233,238 ----
$req->setSessionVar('auth_state', $this);
! // FIXME: Disable restore from cookie (see note in WikiUser().)
! //$req->setCookieVar('WIKI_AUTH', $this);
}
}
|
