Fix database hijacking

Check if a requested database can be selected. Error out if not.
This prevents automatic fallbacks to the default database.

Remove the authorized information from the session if a new database
gets selected.

Factor out logout function to reuse existing code.

controllers/common.php

@@ -11,31 +11,26 @@ Router\before(function($action) {
 
     Session\open(BASE_URL_DIRECTORY, SESSION_SAVE_PATH);
 
-    // Select another database
+    // Select the requested database. If it fails, logout to destroy session and
+    // 'remember me' cookie
     if (! empty($_SESSION['database'])) {
-        Model\Database\select($_SESSION['database']);
+        if (! Model\Database\select($_SESSION['database'])) {
-    }
+            Model\User\logout();
-
-    // Authentication
-    if (Model\User\is_logged()) {
-
-        if (! Model\User\is_user_session()) {
-            Session\close();
             Response\redirect('?action=login');
         }
-
-        if (Model\RememberMe\has_cookie()) {
-            Model\RememberMe\refresh();
     }
-    }
-    else {
 
-        if (! in_array($action, array('login', 'bookmark-feed', 'select-db'))) {
+    // These actions are considered to be safe even for unauthenticated users
+    $safe_actions = array('login', 'bookmark-feed', 'select-db', 'logout', 'notfound');
 
+    if ( ! Model\User\is_loggedin() && ! in_array($action, $safe_actions)) {
         if (! Model\RememberMe\authenticate()) {
+            Model\User\logout();
             Response\redirect('?action=login');
         }
     }
+    else if (Model\RememberMe\has_cookie()) {
+        Model\RememberMe\refresh();
     }
 
     // Load translations

cronjob.php

@@ -17,7 +17,9 @@ else {
 }
 
 if (! empty($options['database'])) {
-    Model\Database\select($options['database']);
+    if (! Model\Database\select($options['database'])) {
+        die("Database ".$options['database']." not found\r\n");
+    }
 }
 
 $limit = ! empty($options['limit']) && ctype_digit($options['limit']) ? (int) $options['limit'] : Model\Feed\LIMIT_ALL;

fever/index.php

@@ -30,7 +30,13 @@ function response(array $response)
 function auth()
 {
     if (! empty($_GET['database'])) {
-        Model\Database\select($_GET['database']);
+        if (! Model\Database\select($_GET['database'])) {
+            // return unauthorized if the requested database could not be found
+            return array(
+                'api_version' => 3,
+                'auth' => 0,
+            );
+        }
     }
 
     $credentials = Database::get('db')->table('config')

models/database.php

@@ -36,10 +36,26 @@ function select($filename = '')
 {
     static $current_filename = DB_FILENAME;
 
-    if (ENABLE_MULTIPLE_DB && $filename !== '' && in_array($filename, get_all())) {
+    // function gets called with a filename at least once the database
+    // connection is established
+    if ($filename !== '') {
+        if (ENABLE_MULTIPLE_DB && in_array($filename, get_all())) {
             $current_filename = $filename;
+
+            // unset the authenticated flag if the database is changed
+            if (empty($_SESSION['database']) || $_SESSION['database'] !== $filename) {
+                if (isset($_SESSION)) {
+                    unset($_SESSION['user']);
+                }
+
+                $_SESSION['database'] = $filename;
                 $_SESSION['config'] = \Model\Config\get_all();
             }
+        }
+        else {
+            return false;
+        }
+    }
 
     return $current_filename;
 }

models/remember_me.php

@@ -67,7 +67,6 @@ function authenticate()
 
             // Create the session
             $_SESSION['user'] = User\get($record['username']);
-            $_SESSION['config'] = Config\get_all();
 
             return true;
         }
@@ -124,12 +123,13 @@ function remove($session_id)
  */
 function destroy()
 {
+    // delete the cookie without any conditions!
+    delete_cookie();
+
     $credentials = read_cookie();
 
     if ($credentials !== false) {
 
-        delete_cookie();
-
         Database::get('db')
              ->table(TABLE)
              ->eq('token', $credentials['token'])
@@ -233,7 +233,9 @@ function decode_cookie($value)
 {
     @list($database, $token, $sequence) = explode('|', $value);
 
-    DatabaseModel\select(base64_decode($database));
+    if (! DatabaseModel\select(base64_decode($database))) {
+        return false;
+    }
 
     return array(
         'token' => $token,

models/user.php

@@ -10,18 +10,15 @@ use Model\RememberMe;
 use Model\Database as DatabaseModel;
 
 // Check if the user is logged
-function is_logged()
+function is_loggedin()
 {
     return ! empty($_SESSION['user']);
 }
 
-// Check if the logged user is the right one
+function logout()
-function is_user_session()
 {
-    return Database::get('db')
+    \Model\RememberMe\destroy();
-        ->table('config')
+    \PicoFarad\Session\close();
-        ->eq('username', $_SESSION['user']['username'])
-        ->count() === 1;
 }
 
 // Get a user by username