From 3bca18fb4c35616074c7e9daabcef183521b8e6c Mon Sep 17 00:00:00 2001
From: "Leigh B. Stoller" <stoller@flux.utah.edu>
Date: Mon, 10 Nov 2003 15:22:12 +0000
Subject: [PATCH] More security hacking: Do not allow and random user from the
 internet to logout any random user on the testbed; only logged in admin users
 can do that now!

---
 www/TOCHECK     |  6 +++---
 www/logout.php3 | 51 ++++++++++++++++++++++++++++++++-----------------
 www/menu.php3   |  2 +-
 www/tbauth.php3 |  7 ++++++-
 4 files changed, 43 insertions(+), 23 deletions(-)

diff --git a/www/TOCHECK b/www/TOCHECK
index 097d3a206..e7cfb5c23 100644
--- a/www/TOCHECK
+++ b/www/TOCHECK
@@ -73,8 +73,8 @@ freezeuser.php3
 index.php3
 joinproject.php3
 loadimage.php3
-login.php3
-logout.php3
+login.php3		X
+logout.php3		X
 menu.php3
 menu.php3.java
 modifyexp.php3
@@ -146,7 +146,7 @@ start.php3
 survey.php3
 swapexp.php3
 tbauth.php3
-toggle.php
+toggle.php			X
 top2image.php3
 tutorial/docwrapper.php3	X
 tutorial/tutorial.php3		X
diff --git a/www/logout.php3 b/www/logout.php3
index e5095b698..9d451429b 100644
--- a/www/logout.php3
+++ b/www/logout.php3
@@ -1,7 +1,7 @@
 <?php
 #
 # EMULAB-COPYRIGHT
-# Copyright (c) 2000-2002 University of Utah and the Flux Group.
+# Copyright (c) 2000-2003 University of Utah and the Flux Group.
 # All rights reserved.
 #
 #
@@ -12,28 +12,43 @@ require("defs.php3");
 #
 # This page gets loaded as the result of a logout click.
 #
-# $uid comes in as a variable.
+# $uid optionally comes in as a variable so admins can logout other users.
 #
-if (isset($uid) && strcmp($uid, "")) {
-    DOLOGOUT($uid);
-    unset($uid);
-
-    #
-    # Zap the user back to the front page, in nonsecure mode.
-    # 
-    header("Location: $TBBASE/");
-    return;
+$target_uid = $_GET['target_uid'];
+
+# Pedantic page argument checking. Good practice!
+if (isset($target_uid) && $target_uid == "") {
+    PAGEARGERROR();
 }
 
-#
-# Standard Testbed Header
-#
-PAGEHEADER("Logout");
+# Get current login.
+# Only admin users can logout someone other then themself.
+$uid = GETLOGIN();
+LOGGEDINORDIE($uid);
+
+if (!isset($target_uid))
+    $target_uid = $uid;
+
+if ($target_uid != $uid && !ISADMIN($uid)) {
+    PAGEHEADER("Logout");
+    echo "<center>
+          <h3>You do not have permission to logout '$target_uid'
+          </h3></center>\n";
+    PAGEFOOTER();
+    return;
+}
 
-echo "<center><h3>Logout attempt failed!</h3></center>\n";
+if (DOLOGOUT($target_uid) != 0) {
+    PAGEHEADER("Logout");
+    echo "<center><h3>Logout '$target_uid' failed!</h3></center>\n";
+    PAGEFOOTER();
+    return;
+}
 
 #
-# Standard Testbed Footer
+# Success. Zap the user back to the front page, in nonsecure mode.
 # 
-PAGEFOOTER();
+header("Location: $TBBASE/");
 ?>
+
+
diff --git a/www/menu.php3 b/www/menu.php3
index 2d73d1000..d9d3c8eba 100644
--- a/www/menu.php3
+++ b/www/menu.php3
@@ -362,7 +362,7 @@ function WRITESIDEBAR() {
     if ($login_status & (CHECKLOGIN_LOGGEDIN|CHECKLOGIN_MAYBEVALID)) {
       echo "<tr>";
       echo "<td class=\"menufooter\" align=center valign=center>";
-      echo "<a href=\"$TBBASE/logout.php3?uid=$login_uid\">";
+      echo "<a href=\"$TBBASE/logout.php3?target_uid=$login_uid\">";
       echo "<img alt=\"logoff\" border=0 ";
       echo "src=\"$BASEPATH/logoff.gif\"></a>\n";
       echo "</td></tr>\n";
diff --git a/www/tbauth.php3 b/www/tbauth.php3
index cfb984452..38dc6d282 100644
--- a/www/tbauth.php3
+++ b/www/tbauth.php3
@@ -494,6 +494,11 @@ function VERIFYPASSWD($uid, $password) {
 function DOLOGOUT($uid) {
     global $TBDBNAME, $TBSECURECOOKIES, $CHECKLOGIN_STATUS;
 
+    # Pedantic check.
+    if (!TBvalid_uid($uid)) {
+	return 1;
+    }
+
     $CHECKLOGIN_STATUS = CHECKLOGIN_NOTLOGGEDIN;
 
     $query_result =
@@ -501,7 +506,7 @@ function DOLOGOUT($uid) {
 
     # Not logged in.
     if (($row = mysql_fetch_array($query_result)) == 0) {
-	return 0;
+	return 1;
     }
 
     $hashkey = $row[hashkey];
-- 
GitLab