From 05e6e98cd5e67611ff2e8a3f2c14fd2f082e6da3 Mon Sep 17 00:00:00 2001 From: dairiki Date: Thu, 6 Dec 2001 20:44:13 +0000 Subject: [PATCH] Kludgy patch to close a potential security hole. (I think a carefully constructed cookie could be used to log in (as admin, even) without a password.) I'll work on a longer term fix... git-svn-id: svn://svn.code.sf.net/p/phpwiki/code/trunk@727 96ab9672-09ca-45d6-a79d-3d69d39ca109 --- lib/WikiUser.php | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/lib/WikiUser.php b/lib/WikiUser.php index 5b26c9ca5..5d44d5bee 100644 --- a/lib/WikiUser.php +++ b/lib/WikiUser.php @@ -1,4 +1,4 @@ -_restore(); // don't check for HTTP auth if there's nothing to worry about + // + // FIXME: the addition of this short-cut introduced a security hole. + // Since $this->_restore can potentially restore $this from a + // user provided cookie, a carefully constructed cookie can + // be used to effectively log in (even as admin) without + // a password. + // + // For now, I'm disabling the code which saves/restores $this + // in a cookie. (Login state is still preserved in session vars.) + // I'll work on a longer term solution. + if ( $this->state == 'authorized' && $auth_mode != 'LOGIN' && $auth_mode != 'LOGOUT' ) @@ -206,8 +217,9 @@ class WikiUser if ( $this->_copy($req->getSessionVar('auth_state')) ) return; - elseif ( $this->_copy($req->getCookieVar('WIKI_AUTH')) ) - return; + // FIXME: Disable restore from cookie (see note in WikiUser().) + //elseif ( $this->_copy($req->getCookieVar('WIKI_AUTH')) ) + // return; else { // Default state. $this->userid = ''; @@ -220,7 +232,8 @@ class WikiUser $req = &$this->_request; $req->setSessionVar('auth_state', $this); - $req->setCookieVar('WIKI_AUTH', $this); + // FIXME: Disable restore from cookie (see note in WikiUser().) + //$req->setCookieVar('WIKI_AUTH', $this); } } -- 2.45.0