Thread: [popfile-commit] engine/UI HTML.pm,1.159,1.160

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/popfile/engine/UI
In directory sc8-pr-cvs1:/tmp/cvs-serv31325/UI

Modified Files:
	HTML.pm 
Log Message:
Fix nasty security problem with jump_to_message where it was possible with the right combination of things to get the session key when you shouldn't be able to, and bypass the password screen

Index: HTML.pm
===================================================================
RCS file: /cvsroot/popfile/engine/UI/HTML.pm,v
retrieving revision 1.159
retrieving revision 1.160
diff -C2 -d -r1.159 -r1.160
*** HTML.pm	23 May 2003 14:49:19 -0000	1.159
--- HTML.pm	23 May 2003 15:59:26 -0000	1.160
***************
*** 280,283 ****
--- 280,309 ----
      }
  
+     # Check the password
+ 
+     if ( $url eq '/password' )  {
+         if ( $self->{form_}{password} eq $self->config_( 'password' ) )  {
+             change_session_key( $self );
+             delete $self->{form_}{password};
+             $self->{form_}{session} = $self->{session_key__};
+             if ( defined( $self->{form_}{redirect} ) ) {
+                 $url = $self->{form_}{redirect};
+             } else {
+                 $url = '/';
+             }
+         } else {
+             password_page( $self, $client, 1, '/' );
+             return 1;
+         }
+     }
+ 
+     # If there's a password defined then check to see if the user already knows the
+     # session key, if they don't then drop to the password screen
+ 
+     if ( ( (!defined($self->{form_}{session})) || ($self->{form_}{session} eq '' ) || ( $self->{form_}{session} ne $self->{session_key__} ) ) && ( $self->config_( 'password' ) ne '' ) ) {
+         password_page( $self, $client, 0, $url );
+         return 1;
+     }
+ 
      if ( $url eq '/jump_to_message' )  {
          my $found = 0;
***************
*** 326,353 ****
      if ( $url =~ /(manual\/.+\.html)/ ) {
          $self->http_file_( $client, $1, 'text/html' );
-         return 1;
-     }
- 
-     # Check the password
-     if ( $url eq '/password' )  {
-         if ( $self->{form_}{password} eq $self->config_( 'password' ) )  {
-             change_session_key( $self );
-             delete $self->{form_}{password};
-             $self->{form_}{session} = $self->{session_key__};
-             if ( defined( $self->{form_}{redirect} ) ) {
-                 $url = $self->{form_}{redirect};
-             } else {
-                 $url = '/';
-             }
-         } else {
-             password_page( $self, $client, 1, '/' );
-             return 1;
-         }
-     }
- 
-     # If there's a password defined then check to see if the user already knows the
-     # session key, if they don't then drop to the password screen
-     if ( ( (!defined($self->{form_}{session})) || ($self->{form_}{session} eq '' ) || ( $self->{form_}{session} ne $self->{session_key__} ) ) && ( $self->config_( 'password' ) ne '' ) ) {
-         password_page( $self, $client, 0, $url );
          return 1;
      }
--- 352,355 ----