Closes #156 : "Confirm parameter is not secured"
This commit is contained in:
parent
daa6709fd0
commit
dab3aaa07f
|
@ -10,3 +10,4 @@ Revision history for Perl extension Apache::Session::NoSQL.
|
|||
0.03 Fri Sep 24 11:58:12 +0200 2010
|
||||
- More doc
|
||||
- Dependencies
|
||||
(revision 1599)
|
||||
|
|
|
@ -224,10 +224,11 @@ BEGIN {
|
|||
my $redis = Redis->new(%$args);
|
||||
my @keys = $redis->keys('*');
|
||||
my %res;
|
||||
foreach my $k ( @keys ) {
|
||||
foreach my $k (@keys) {
|
||||
my $v = $redis->get($k);
|
||||
my $v = eval { thaw(MIME::Base64::decode_base64($redis->get($k))) };
|
||||
next if($@);
|
||||
my $v =
|
||||
eval { thaw( MIME::Base64::decode_base64( $redis->get($k) ) ) };
|
||||
next if ($@);
|
||||
if ( ref($data) eq 'CODE' ) {
|
||||
$res{$k} = &$data( $v, $k );
|
||||
}
|
||||
|
|
|
@ -12,7 +12,8 @@ sub new {
|
|||
my $self = fields::new($class);
|
||||
my %opts = splice @_;
|
||||
$self->$_( delete $opts{$_} ) foreach (qw(extensions));
|
||||
return $self->SUPER::new(%opts);
|
||||
$self->SUPER::new(%opts);
|
||||
#$self->{get_args} = sub { $self->param(@_) };
|
||||
}
|
||||
|
||||
sub extensions {
|
||||
|
@ -47,50 +48,50 @@ sub signed_return_url {
|
|||
return $self->SUPER::signed_return_url(%opts);
|
||||
}
|
||||
|
||||
*args = \&get_args;
|
||||
#*args = \&get_args;
|
||||
|
||||
sub get_args {
|
||||
my $self = shift;
|
||||
|
||||
if ( my $what = shift ) {
|
||||
Carp::croak("Too many parameters") if @_;
|
||||
|
||||
# Lemonldap::NG only (direct CGI)
|
||||
$self->{get_args} = sub { $what->param( $_[0] ) };
|
||||
|
||||
# INCLUDE IN PROPOSED PATCH FOR Net::OpenID::Server
|
||||
#my $getter;
|
||||
#if ( !ref $what ) {
|
||||
# Carp::croak("No get_args defined") unless $self->{get_args};
|
||||
# return $self->{get_args}->($what) || "";
|
||||
#}
|
||||
#elsif ( ref $what eq "HASH" ) {
|
||||
# $getter = sub { $_[0] ? $what->{ $_[0] } : ( keys %$what ); };
|
||||
#}
|
||||
#elsif ( ref $what eq "Apache" ) {
|
||||
# my %get = $what->args;
|
||||
# $getter = sub { $_[0] ? $get{ $_[0] } : ( keys %get ); };
|
||||
#}
|
||||
#elsif ( ref $what eq "CODE" ) {
|
||||
# $getter = $what;
|
||||
#}
|
||||
#else {
|
||||
# my $r = eval { $what->can('param') };
|
||||
# if ( $@ or not $r ) {
|
||||
# Carp::croak("Unknown parameter type ($what)");
|
||||
# }
|
||||
# else {
|
||||
# $getter = sub {
|
||||
# $_[0] ? scalar $what->param( $_[0] ) : ( $what->param() );
|
||||
# };
|
||||
# }
|
||||
#}
|
||||
#if ($getter) {
|
||||
# $self->{get_args} = $getter;
|
||||
#}
|
||||
}
|
||||
$self->{get_args};
|
||||
}
|
||||
#sub get_args {
|
||||
# my $self = shift;
|
||||
#
|
||||
# if ( my $what = shift ) {
|
||||
# Carp::croak("Too many parameters") if @_;
|
||||
#
|
||||
# # Lemonldap::NG only (direct CGI)
|
||||
# $self->{get_args} = sub { $what->param( $_[0] ) };
|
||||
#
|
||||
# # INCLUDE IN PROPOSED PATCH FOR Net::OpenID::Server
|
||||
# #my $getter;
|
||||
# #if ( !ref $what ) {
|
||||
# # Carp::croak("No get_args defined") unless $self->{get_args};
|
||||
# # return $self->{get_args}->($what) || "";
|
||||
# #}
|
||||
# #elsif ( ref $what eq "HASH" ) {
|
||||
# # $getter = sub { $_[0] ? $what->{ $_[0] } : ( keys %$what ); };
|
||||
# #}
|
||||
# #elsif ( ref $what eq "Apache" ) {
|
||||
# # my %get = $what->args;
|
||||
# # $getter = sub { $_[0] ? $get{ $_[0] } : ( keys %get ); };
|
||||
# #}
|
||||
# #elsif ( ref $what eq "CODE" ) {
|
||||
# # $getter = $what;
|
||||
# #}
|
||||
# #else {
|
||||
# # my $r = eval { $what->can('param') };
|
||||
# # if ( $@ or not $r ) {
|
||||
# # Carp::croak("Unknown parameter type ($what)");
|
||||
# # }
|
||||
# # else {
|
||||
# # $getter = sub {
|
||||
# # $_[0] ? scalar $what->param( $_[0] ) : ( $what->param() );
|
||||
# # };
|
||||
# # }
|
||||
# #}
|
||||
# #if ($getter) {
|
||||
# # $self->{get_args} = $getter;
|
||||
# #}
|
||||
# }
|
||||
# $self->{get_args};
|
||||
#}
|
||||
|
||||
1;
|
||||
__END__
|
||||
|
|
|
@ -128,6 +128,7 @@ elsif ( $portal->{error} == PE_CONFIRM ) {
|
|||
FORM_METHOD => $portal->{confirmFormMethod},
|
||||
CHOICE_PARAM => $portal->{authChoiceParam},
|
||||
CHOICE_VALUE => $portal->{_authChoice},
|
||||
CONFIRMKEY => $portal->stamp(),
|
||||
);
|
||||
}
|
||||
|
||||
|
|
|
@ -12,12 +12,12 @@
|
|||
<TMPL_VAR NAME="HIDDEN_INPUTS">
|
||||
<input type="hidden" name="url" value="<TMPL_VAR NAME="AUTH_URL">" />
|
||||
<input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
|
||||
<input type="hidden" id="confirm" name="confirm" value="1" />
|
||||
<input type="hidden" id="confirm" name="confirm" value="<TMPL_VAR NAME="CONFIRMKEY">" />
|
||||
<div id="content-all-info">
|
||||
<TMPL_VAR NAME="MSG">
|
||||
</div>
|
||||
<div class="panel-buttons">
|
||||
<button type="submit" class="negative" tabindex="4" onclick="$('#confirm').attr('value','-1');">
|
||||
<button type="submit" class="negative" tabindex="4" onclick="$('#confirm').attr('value','-<TMPL_VAR NAME="CONFIRMKEY">');">
|
||||
<lang en="Refuse" fr="Refuser" />
|
||||
</button>
|
||||
<button type="submit" class="positive" tabindex="3">
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
<TMPL_VAR NAME="HIDDEN_INPUTS">
|
||||
<input type="hidden" name="url" value="<TMPL_VAR NAME="AUTH_URL">" />
|
||||
<input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
|
||||
<input type="hidden" id="confirm" name="confirm" value="1" />
|
||||
<input type="hidden" id="confirm" name="confirm" value="<TMPL_VAR NAME="CONFIRMKEY">" />
|
||||
<TMPL_VAR NAME="MSG">
|
||||
<p id="timer"><lang en="Automaticaly accept in 5 seconds" fr="Acceptation automatique dans 5 secondes"/></p>
|
||||
<table><tbody><tr><td>
|
||||
|
@ -19,7 +19,7 @@
|
|||
<img src="/skins/common/accept.png" alt="" />
|
||||
<lang en="Accept" fr="Accepter" />
|
||||
</button>
|
||||
<button type="submit" class="negative" onclick="$('#confirm').attr('value','-1');">
|
||||
<button type="submit" class="negative" onclick="$('#confirm').attr('value','-<TMPL_VAR NAME="CONFIRMKEY">');">
|
||||
<img src="/skins/common/cancel.png" alt="" />
|
||||
<lang en="Refuse" fr="Refuser" />
|
||||
</button>
|
||||
|
|
|
@ -15,6 +15,7 @@ our $VERSION = '0.01';
|
|||
# @return Lemonldap::NG::Portal error code
|
||||
sub issuerDBInit {
|
||||
my $self = shift;
|
||||
|
||||
eval { require Lemonldap::NG::Common::OpenID::Server };
|
||||
$self->abort( 'Unable to load Net::OpenID::Server', $@ ) if ($@);
|
||||
$self->{openIdSecret} ||= $self->{cipher}->encrypt(0);
|
||||
|
@ -170,12 +171,13 @@ sub openIDServer {
|
|||
$self->{_openidPortal} = $self->{portal} . "/openidserver/";
|
||||
$self->{_openidPortal} =~ s#(?<!:)//#/#g;
|
||||
|
||||
my $sub = sub { return $self->param(@_) };
|
||||
$self->{_openidserver} = Lemonldap::NG::Common::OpenID::Server->new(
|
||||
|
||||
# TODO
|
||||
server_secret => sub { return $self->{openIdSecret} },
|
||||
post_args => $self->{_prm},
|
||||
get_args => $self->{_prm},
|
||||
post_args => $sub,
|
||||
get_args => $sub,
|
||||
endpoint_url => $self->{_openidPortal},
|
||||
setup_url => $self->{_openidPortal},
|
||||
get_user => sub {
|
||||
|
@ -207,12 +209,16 @@ sub openIDServer {
|
|||
$self->lmLog( 'OpenID request already trusted', 'debug' );
|
||||
return 1;
|
||||
}
|
||||
elsif ( $self->param("confirm") ) {
|
||||
elsif ( $self->param("confirm") == 1 ) {
|
||||
$self->updateSession( { "_openidTrust$trust_root" => 1 } );
|
||||
return 1;
|
||||
}
|
||||
elsif ( $self->param("confirm") == -1 ) {
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( 'OpenID request not trusted', 'debug' );
|
||||
$self->lmLog( 'OpenID request not trusted' . $sub->("confirm"),
|
||||
'debug' );
|
||||
$self->{_openIdTrustRequired} = 1;
|
||||
return 0;
|
||||
}
|
||||
|
@ -251,20 +257,30 @@ sub _openIDResponse {
|
|||
$self->storeOpenIDprm();
|
||||
return PE_CONFIRM;
|
||||
}
|
||||
if ( $self->{_badOpenIdentity} ) {
|
||||
elsif ( $self->{_badOpenIdentity} ) {
|
||||
$self->userNotice(
|
||||
"The user $self->{sessionInfo}->{_user} tries to use the id \"$data->{identity}\" on $data->{trust_root}"
|
||||
);
|
||||
return PE_OPENID_BADID;
|
||||
}
|
||||
}
|
||||
|
||||
# User has refused sharing its datas
|
||||
else {
|
||||
$self->userNotice( $self->{sessionInfo}->{ $self->{whatToTrace} }
|
||||
. ' refused to share its OpenIdentity' );
|
||||
return PE_OK;
|
||||
}
|
||||
}
|
||||
elsif ($type) {
|
||||
$self->lmLog( 'OpenID generated page', 'debug' );
|
||||
print STDERR "$type\n";
|
||||
print $self->header($type);
|
||||
print $data;
|
||||
}
|
||||
else {
|
||||
$self->abort( 'OpenID error ', $self->openIDServer->err() );
|
||||
}
|
||||
$self->quit();
|
||||
PE_OK;
|
||||
}
|
||||
|
||||
1;
|
||||
|
|
|
@ -1102,6 +1102,11 @@ sub printImage {
|
|||
close(IMAGE);
|
||||
}
|
||||
|
||||
sub stamp {
|
||||
my $self = shift;
|
||||
return $self->{cipher}->encrypt( time() );
|
||||
}
|
||||
|
||||
###############################################################
|
||||
# MAIN subroutine: call all steps until one returns something #
|
||||
# different than PE_OK #
|
||||
|
@ -1159,9 +1164,23 @@ sub process {
|
|||
|
||||
##@apmethod int controlUrlOrigin()
|
||||
# If the user was redirected here, loads 'url' parameter.
|
||||
# Check also confirm parameter.
|
||||
#@return Lemonldap::NG::Portal constant
|
||||
sub controlUrlOrigin {
|
||||
my $self = shift;
|
||||
if ( my $c = $self->param('confirm') ) {
|
||||
$c =~ s/^(-?)(.*)$/${1}1/;
|
||||
my $time = time() - $self->{cipher}->decrypt($2);
|
||||
if ( $time < 600 ) {
|
||||
$self->lmLog( "Confirm parameter accepted $c", 'debug' );
|
||||
$self->param( 'confirm', $c );
|
||||
print STDERR "DEBUG ".$self->param('confirm')."\n";
|
||||
}
|
||||
else {
|
||||
$self->lmLog( 'Confirmation to old, refused', 'notice' );
|
||||
$self->param( 'confirm', 0 );
|
||||
}
|
||||
}
|
||||
$self->{_url} ||= '';
|
||||
if ( my $url = $self->param('url') ) {
|
||||
|
||||
|
|
|
@ -50,7 +50,6 @@ sub _grant {
|
|||
# @return True
|
||||
sub _compileRules {
|
||||
my $self = shift;
|
||||
print STDERR "$cfgNum\n";
|
||||
foreach my $vhost ( keys %{ $self->{locationRules} } ) {
|
||||
my $i = 0;
|
||||
foreach ( keys %{ $self->{locationRules}->{$vhost} } ) {
|
||||
|
@ -88,7 +87,6 @@ sub _conditionSub {
|
|||
$cond =~ s/\$date/&POSIX::strftime("%Y%m%d%H%M%S",localtime())/e;
|
||||
$cond =~ s/\$(\w+)/\$self->{sessionInfo}->{$1}/g;
|
||||
my $sub = "sub {my \$self = shift; return ( $cond )}";
|
||||
print STDERR "$sub\n";
|
||||
$sub = (
|
||||
SAFEWRAP
|
||||
? $self->safe->wrap_code_ref( $self->safe->reval($sub) )
|
||||
|
|
Loading…
Reference in New Issue
Block a user