dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Closes #156 : "Confirm parameter is not secured"

Browse Source
This commit is contained in:
Xavier Guimard 2010-09-24 12:02:57 +00:00
parent daa6709fd0
commit dab3aaa07f
9 changed files with 97 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
contribs/apache-session-nosql/Changes
View File

@ -10,3 +10,4 @@ Revision history for Perl extension Apache::Session::NoSQL.
0.03 Fri Sep 24 11:58:12 +0200 2010
- More doc
- Dependencies
(revision 1599)

7
modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session.pm
View File

@ -224,10 +224,11 @@ BEGIN {
my $redis = Redis->new(%$args);
my @keys = $redis->keys('*');
my %res;
foreach my $k ( @keys ) {
foreach my $k (@keys) {
my $v = $redis->get($k);
my $v = eval { thaw(MIME::Base64::decode_base64($redis->get($k))) };
next if($@);
my $v =
eval { thaw( MIME::Base64::decode_base64( $redis->get($k) ) ) };
next if ($@);
if ( ref($data) eq 'CODE' ) {
$res{$k} = &$data( $v, $k );
}

89
modules/lemonldap-ng-common/lib/Lemonldap/NG/Common/OpenID/Server.pm
View File

@ -12,7 +12,8 @@ sub new {
my $self = fields::new($class);
my %opts = splice @_;
$self->$_( delete $opts{$_} ) foreach (qw(extensions));
return $self->SUPER::new(%opts);
$self->SUPER::new(%opts);
#$self->{get_args} = sub { $self->param(@_) };
}
sub extensions {
@ -47,50 +48,50 @@ sub signed_return_url {
return $self->SUPER::signed_return_url(%opts);
}
*args = \&get_args;
#*args = \&get_args;
sub get_args {
my $self = shift;
if ( my $what = shift ) {
Carp::croak("Too many parameters") if @_;
# Lemonldap::NG only (direct CGI)
$self->{get_args} = sub { $what->param( $_[0] ) };
# INCLUDE IN PROPOSED PATCH FOR Net::OpenID::Server
#my $getter;
#if ( !ref $what ) {
# Carp::croak("No get_args defined") unless $self->{get_args};
# return $self->{get_args}->($what) || "";
#}
#elsif ( ref $what eq "HASH" ) {
# $getter = sub { $_[0] ? $what->{ $_[0] } : ( keys %$what ); };
#}
#elsif ( ref $what eq "Apache" ) {
# my %get = $what->args;
# $getter = sub { $_[0] ? $get{ $_[0] } : ( keys %get ); };
#}
#elsif ( ref $what eq "CODE" ) {
# $getter = $what;
#}
#else {
# my $r = eval { $what->can('param') };
# if ( $@ or not $r ) {
# Carp::croak("Unknown parameter type ($what)");
# }
# else {
# $getter = sub {
# $_[0] ? scalar $what->param( $_[0] ) : ( $what->param() );
# };
# }
#}
#if ($getter) {
# $self->{get_args} = $getter;
#}
}
$self->{get_args};
}
#sub get_args {
# my $self = shift;
#
# if ( my $what = shift ) {
# Carp::croak("Too many parameters") if @_;
#
# # Lemonldap::NG only (direct CGI)
# $self->{get_args} = sub { $what->param( $_[0] ) };
#
# # INCLUDE IN PROPOSED PATCH FOR Net::OpenID::Server
# #my $getter;
# #if ( !ref $what ) {
# # Carp::croak("No get_args defined") unless $self->{get_args};
# # return $self->{get_args}->($what) || "";
# #}
# #elsif ( ref $what eq "HASH" ) {
# # $getter = sub { $_[0] ? $what->{ $_[0] } : ( keys %$what ); };
# #}
# #elsif ( ref $what eq "Apache" ) {
# # my %get = $what->args;
# # $getter = sub { $_[0] ? $get{ $_[0] } : ( keys %get ); };
# #}
# #elsif ( ref $what eq "CODE" ) {
# # $getter = $what;
# #}
# #else {
# # my $r = eval { $what->can('param') };
# # if ( $@ or not $r ) {
# # Carp::croak("Unknown parameter type ($what)");
# # }
# # else {
# # $getter = sub {
# # $_[0] ? scalar $what->param( $_[0] ) : ( $what->param() );
# # };
# # }
# #}
# #if ($getter) {
# # $self->{get_args} = $getter;
# #}
# }
# $self->{get_args};
#}
1;
__END__

1
modules/lemonldap-ng-portal/example/index_skin.pl
View File

@ -128,6 +128,7 @@ elsif ( $portal->{error} == PE_CONFIRM ) {
FORM_METHOD => $portal->{confirmFormMethod},
CHOICE_PARAM => $portal->{authChoiceParam},
CHOICE_VALUE => $portal->{_authChoice},
CONFIRMKEY => $portal->stamp(),
);
}

4
modules/lemonldap-ng-portal/example/skins/impact/confirm.tpl
View File

@ -12,12 +12,12 @@
<TMPL_VAR NAME="HIDDEN_INPUTS">
<input type="hidden" name="url" value="<TMPL_VAR NAME="AUTH_URL">" />
<input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
<input type="hidden" id="confirm" name="confirm" value="1" />
<input type="hidden" id="confirm" name="confirm" value="<TMPL_VAR NAME="CONFIRMKEY">" />
<div id="content-all-info">
<TMPL_VAR NAME="MSG">
</div>
<div class="panel-buttons">
<button type="submit" class="negative" tabindex="4" onclick="$('#confirm').attr('value','-1');">
<button type="submit" class="negative" tabindex="4" onclick="$('#confirm').attr('value','-<TMPL_VAR NAME="CONFIRMKEY">');">
<lang en="Refuse" fr="Refuser" />
</button>
<button type="submit" class="positive" tabindex="3">

4
modules/lemonldap-ng-portal/example/skins/pastel/confirm.tpl
View File

@ -10,7 +10,7 @@
<TMPL_VAR NAME="HIDDEN_INPUTS">
<input type="hidden" name="url" value="<TMPL_VAR NAME="AUTH_URL">" />
<input type="hidden" id="authKey" name="<TMPL_VAR NAME="CHOICE_PARAM">" value="<TMPL_VAR NAME="CHOICE_VALUE">" />
<input type="hidden" id="confirm" name="confirm" value="1" />
<input type="hidden" id="confirm" name="confirm" value="<TMPL_VAR NAME="CONFIRMKEY">" />
<TMPL_VAR NAME="MSG">
<p id="timer"><lang en="Automaticaly accept in 5 seconds" fr="Acceptation automatique dans 5 secondes"/></p>
<table><tbody><tr><td>
@ -19,7 +19,7 @@
<img src="/skins/common/accept.png" alt="" />
<lang en="Accept" fr="Accepter" />
</button>
<button type="submit" class="negative" onclick="$('#confirm').attr('value','-1');">
<button type="submit" class="negative" onclick="$('#confirm').attr('value','-<TMPL_VAR NAME="CONFIRMKEY">');">
<img src="/skins/common/cancel.png" alt="" />
<lang en="Refuse" fr="Refuser" />
</button>

30
modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenID.pm
View File

@ -15,6 +15,7 @@ our $VERSION = '0.01';
# @return Lemonldap::NG::Portal error code
sub issuerDBInit {
my $self = shift;
eval { require Lemonldap::NG::Common::OpenID::Server };
$self->abort( 'Unable to load Net::OpenID::Server', $@ ) if ($@);
$self->{openIdSecret} ||= $self->{cipher}->encrypt(0);
@ -170,12 +171,13 @@ sub openIDServer {
$self->{_openidPortal} = $self->{portal} . "/openidserver/";
$self->{_openidPortal} =~ s#(?<!:)//#/#g;
my $sub = sub { return $self->param(@_) };
$self->{_openidserver} = Lemonldap::NG::Common::OpenID::Server->new(
# TODO
server_secret => sub { return $self->{openIdSecret} },
post_args => $self->{_prm},
get_args => $self->{_prm},
post_args => $sub,
get_args => $sub,
endpoint_url => $self->{_openidPortal},
setup_url => $self->{_openidPortal},
get_user => sub {
@ -207,12 +209,16 @@ sub openIDServer {
$self->lmLog( 'OpenID request already trusted', 'debug' );
return 1;
}
elsif ( $self->param("confirm") ) {
elsif ( $self->param("confirm") == 1 ) {
$self->updateSession( { "_openidTrust$trust_root" => 1 } );
return 1;
}
elsif ( $self->param("confirm") == -1 ) {
return 0;
}
else {
$self->lmLog( 'OpenID request not trusted', 'debug' );
$self->lmLog( 'OpenID request not trusted' . $sub->("confirm"),
'debug' );
$self->{_openIdTrustRequired} = 1;
return 0;
}
@ -251,20 +257,30 @@ sub _openIDResponse {
$self->storeOpenIDprm();
return PE_CONFIRM;
}
if ( $self->{_badOpenIdentity} ) {
elsif ( $self->{_badOpenIdentity} ) {
$self->userNotice(
"The user $self->{sessionInfo}->{_user} tries to use the id \"$data->{identity}\" on $data->{trust_root}"
);
return PE_OPENID_BADID;
}
}
# User has refused sharing its datas
else {
$self->userNotice( $self->{sessionInfo}->{ $self->{whatToTrace} }
. ' refused to share its OpenIdentity' );
return PE_OK;
}
}
elsif ($type) {
$self->lmLog( 'OpenID generated page', 'debug' );
print STDERR "$type\n";
print $self->header($type);
print $data;
}
else {
$self->abort( 'OpenID error ', $self->openIDServer->err() );
}
$self->quit();
PE_OK;
}
1;

19
modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
View File

@ -1102,6 +1102,11 @@ sub printImage {
close(IMAGE);
}
sub stamp {
my $self = shift;
return $self->{cipher}->encrypt( time() );
}
###############################################################
# MAIN subroutine: call all steps until one returns something #
# different than PE_OK #
@ -1159,9 +1164,23 @@ sub process {
##@apmethod int controlUrlOrigin()
# If the user was redirected here, loads 'url' parameter.
# Check also confirm parameter.
#@return Lemonldap::NG::Portal constant
sub controlUrlOrigin {
my $self = shift;
if ( my $c = $self->param('confirm') ) {
$c =~ s/^(-?)(.*)$/${1}1/;
my $time = time() - $self->{cipher}->decrypt($2);
if ( $time < 600 ) {
$self->lmLog( "Confirm parameter accepted $c", 'debug' );
$self->param( 'confirm', $c );
print STDERR "DEBUG ".$self->param('confirm')."\n";
}
else {
$self->lmLog( 'Confirmation to old, refused', 'notice' );
$self->param( 'confirm', 0 );
}
}
$self->{_url} ||= '';
if ( my $url = $self->param('url') ) {

2
modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LibAccess.pm
View File

@ -50,7 +50,6 @@ sub _grant {
# @return True
sub _compileRules {
my $self = shift;
print STDERR "$cfgNum\n";
foreach my $vhost ( keys %{ $self->{locationRules} } ) {
my $i = 0;
foreach ( keys %{ $self->{locationRules}->{$vhost} } ) {
@ -88,7 +87,6 @@ sub _conditionSub {
$cond =~ s/\$date/&POSIX::strftime("%Y%m%d%H%M%S",localtime())/e;
$cond =~ s/\$(\w+)/\$self->{sessionInfo}->{$1}/g;
my $sub = "sub {my \$self = shift; return ( $cond )}";
print STDERR "$sub\n";
$sub = (
SAFEWRAP
? $self->safe->wrap_code_ref( $self->safe->reval($sub) )