Commit 754d8013 authored by Leigh Stoller's avatar Leigh Stoller

More security hacking.

* Add TBvalid_uid() function to regex uid's. To be used throughout the
  system. Eventually add routines for checking other things like pids
  and eids, etc.

* Regex the uid value we get from the cookie, and switch to $_COOKIE
  superglobal.

* Strict regex checking in DOLOGIN() of uid.

* Change login.php to use superglobals, and general tightening of
  parameter checking.
parent b77a4786
......@@ -139,6 +139,9 @@ define("TBDB_IFACEROLE_FAKE", "fake");
define("TBDB_IFACEROLE_GW", "gw");
define("TBDB_IFACEROLE_OTHER", "other");
# Some regex functions to check various arguments
function TBvalid_uid($uid) { return preg_match("/^[a-zA-Z][-\w]+$/", $uid);}
#
# Convert a trust string to the above numeric values.
#
......
......@@ -6,28 +6,24 @@
#
require("defs.php3");
#
# These two for verification.
#
if (!isset($key) || !strcmp($key, "")) {
$key = 0;
}
if (!isset($vuid) || !strcmp($vuid, "")) {
$vuid = 0;
}
# Allow adminmode to be passed along.
if (!isset($adminmode)) {
$adminmode = 0;
}
# Allow referrer to be passed along.
if (!isset($referrer) || !strcmp($referrer, "")) {
$referrer = 0;
}
# Referrer page requested that it be passed along so that it can be
# Page arguments. First two are for verification passthru.
$key = $_GET['key'];
$vuid = $_GET['vuid'];
# Allow adminmode to be passed along to new login. Handy for letting admins
# log in when NOLOGINS() is on.
$adminmode = $_GET['adminmode'];
# Form arguments.
$login = $_POST['login'];
$uid = $_POST['uid'];
$password = $_POST['password'];
# Allow referrer to be passed along to new login.
$referrer = $_POST['referrer'];
# See if referrer page requested that it be passed along so that it can be
# redisplayed after login. Save the referrer for form below.
if (isset($refer) && $refer &&
isset($HTTP_REFERER) && strcmp($HTTP_REFERER, "")) {
$referrer = $HTTP_REFERER;
if (isset($_GET['refer']) && $_GET['refer'] &&
isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] != "") {
$referrer = $_SERVER['HTTP_REFERER'];
}
#
......@@ -36,9 +32,10 @@ if (isset($refer) && $refer &&
if (($known_uid = GETUID()) != FALSE) {
if (CHECKLOGIN($known_uid) & CHECKLOGIN_LOGGEDIN) {
#
# If doing a verification, zap to that page.
# If doing a verification for the logged in user, zap to that page.
# If doing a verification for another user, then must login in again.
#
if ($key && (!$vuid || !strcmp($vuid, $known_uid))) {
if (isset($key) && (!isset($vuid) || $vuid == $known_uid)) {
header("Location: $TBBASE/verifyusr.php3?key=$key");
return;
}
......@@ -79,12 +76,14 @@ function SPITFORM($uid, $key, $referrer, $failed, $adminmode)
</font>
</center>\n";
$keyarg = "";
$pagearg = "";
if ($adminmode == 1)
$pagearg = "?adminmode=1";
if ($key)
$keyarg = "?key=$key";
$pagearg .= "&key=$key";
echo "<table align=center border=1>
<form action='${TBBASE}/login.php3${keyarg}' method=post>
<form action='${TBBASE}/login.php3${pagearg}' method=post>
<tr>
<td>Username:</td>
<td><input type=text
......@@ -103,9 +102,6 @@ function SPITFORM($uid, $key, $referrer, $failed, $adminmode)
if ($referrer) {
echo "<input type=hidden name=referrer value=$referrer>\n";
}
if ($adminmode) {
echo "<input type=hidden name=adminmode value=1>\n";
}
echo "</form>
</table>\n";
......@@ -115,29 +111,13 @@ function SPITFORM($uid, $key, $referrer, $failed, $adminmode)
</h2></center>\n";
}
#
# Do not bother if NOLOGINS!
#
if (0 && NOLOGINS()) {
PAGEHEADER("Login");
echo "<center>
<font size=+1 color=red>
Logins are temporarily disabled. Please try again later.
</font>
</center><br>\n";
PAGEFOOTER();
die("");
}
#
# If not clicked, then put up a form.
#
if (! isset($login)) {
if ($vuid)
$known_uid = $vuid;
SPITFORM($known_uid, $key, $referrer, 0, $adminmode);
# Allow page arg to override what we think is the UID to log in as.
SPITFORM((isset($vuid) ? $vuid : $known_uid),
$key, $referrer, 0, $adminmode);
PAGEFOOTER();
return;
}
......@@ -148,9 +128,9 @@ if (! isset($login)) {
$STATUS_LOGGEDIN = 1;
$STATUS_LOGINFAIL = 2;
$login_status = 0;
$adminmode = (isset($adminmode) && $adminmode == 1);
if (!isset($uid) ||
strcmp($uid, "") == 0) {
if (!isset($uid) || $uid == "" || !isset($password) || $password == "") {
$login_status = $STATUS_LOGINFAIL;
}
else {
......@@ -171,13 +151,13 @@ if ($login_status == $STATUS_LOGINFAIL) {
return;
}
if ($key) {
if (isset($key)) {
#
# If doing a verification, zap to that page.
#
header("Location: $TBBASE/verifyusr.php3?key=$key");
}
elseif ($referrer) {
elseif (isset($referrer)) {
#
# Zap back to page that started the login request.
#
......
......@@ -51,7 +51,7 @@ function GENHASH() {
if (! $fp) {
TBERROR("Error opening /dev/urandom", 1);
}
$random_bytes = fread($fp, 64);
$random_bytes = fread($fp, 128);
fclose($fp);
$hash = mhash (MHASH_MD5, bin2hex($retval) . " " . microtime());
......@@ -82,19 +82,25 @@ function GETLOGIN() {
# browser thinks, if anything.
#
function GETUID() {
global $TBNAMECOOKIE, $HTTP_COOKIE_VARS;
global $TBNAMECOOKIE;
global $nocookieuid;
$curname = $nocookieuid;
$curname = FALSE;
if ($curname == NULL) {
$curname = $HTTP_COOKIE_VARS[$TBNAMECOOKIE];
# XXX - nocookieuid is sent by netbuild applet in URL.
if (isset($_GET['nocookieuid'])) {
$curname = $_GET['nocookieuid'];
}
elseif (isset($_COOKIE[$TBNAMECOOKIE])) {
$curname = $_COOKIE[$TBNAMECOOKIE];
}
else
return FALSE;
if ($curname == NULL) {
# Verify valid string (no special chars like single/double quotes!).
if (!TBvalid_uid($curname)) {
return FALSE;
}
return $curname;
}
......@@ -264,7 +270,7 @@ function CHECKLOGIN($uid) {
function LOGGEDINORDIE($uid, $modifier = 0) {
global $TBBASE, $BASEPATH, $HTTP_COOKIE_VARS, $TBNAMECOOKIE;
# If our login isn't valid, then the uid is already set to "",
# If our login is not valid, then the uid is already set to "",
# so refresh it to the cookie value. Then we can pass the right
# uid to hcecklogin, so we can give the right error message.
if ($uid=="") { $uid=$HTTP_COOKIE_VARS[$TBNAMECOOKIE]; }
......@@ -357,12 +363,12 @@ function ISADMINISTRATOR() {
#
# Attempt a login.
#
function DOLOGIN($uid, $password, $adminmode) {
function DOLOGIN($uid, $password, $adminmode = 0) {
global $TBDBNAME, $TBAUTHCOOKIE, $TBAUTHDOMAIN, $TBAUTHTIMEOUT;
global $TBNAMECOOKIE, $TBSECURECOOKIES;
if (! isset($password) ||
strcmp($password, "") == 0) {
# Caller makes these checks too.
if (!TBvalid_uid($uid) || !isset($password) || $password == "") {
return -1;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment