Fix database hijacking

Check if a requested database can be selected. Error out if not. This prevents automatic fallbacks to the default database. Remove the authorized information from the session if a new database gets selected. Factor out logout function to reuse existing code.
2015-01-17 19:35:59 +01:00 · 2015-01-17 19:35:59 +01:00 · cfd03efc01
parent 32393d17af
commit cfd03efc01
6 changed files with 53 additions and 35 deletions
--- a/controllers/common.php
+++ b/controllers/common.php
@ -11,31 +11,26 @@ Router\before(function($action) {
    Session\open(BASE_URL_DIRECTORY, SESSION_SAVE_PATH);
-    // Select another database
+    // Select the requested database. If it fails, logout to destroy session and
    // 'remember me' cookie
    if (! empty($_SESSION['database'])) {
-        Model\Database\select($_SESSION['database']);
+        if (! Model\Database\select($_SESSION['database'])) {
-    }
+            Model\User\logout();
    // Authentication
    if (Model\User\is_logged()) {
        if (! Model\User\is_user_session()) {
            Session\close();
            Response\redirect('?action=login');
        }
    }
-        if (Model\RememberMe\has_cookie()) {
+    // These actions are considered to be safe even for unauthenticated users
-            Model\RememberMe\refresh();
+    $safe_actions = array('login', 'bookmark-feed', 'select-db', 'logout', 'notfound');
    if ( ! Model\User\is_loggedin() && ! in_array($action, $safe_actions)) {
        if (! Model\RememberMe\authenticate()) {
            Model\User\logout();
            Response\redirect('?action=login');
        }
    }
-    else {
+    else if (Model\RememberMe\has_cookie()) {
-
+        Model\RememberMe\refresh();
        if (! in_array($action, array('login', 'bookmark-feed', 'select-db'))) {
            if (! Model\RememberMe\authenticate()) {
               Response\redirect('?action=login');
            }
        }
    }
    // Load translations
--- a/cronjob.php
+++ b/cronjob.php
@ -17,7 +17,9 @@ else {
 }
 if (! empty($options['database'])) {
-    Model\Database\select($options['database']);
+    if (! Model\Database\select($options['database'])) {
        die("Database ".$options['database']." not found\r\n");
    }
 }
 $limit = ! empty($options['limit']) && ctype_digit($options['limit']) ? (int) $options['limit'] : Model\Feed\LIMIT_ALL;
--- a/fever/index.php
+++ b/fever/index.php
@ -30,7 +30,13 @@ function response(array $response)
 function auth()
 {
    if (! empty($_GET['database'])) {
-        Model\Database\select($_GET['database']);
+        if (! Model\Database\select($_GET['database'])) {
            // return unauthorized if the requested database could not be found
            return array(
                'api_version' => 3,
                'auth' => 0,
            );
        }
    }
    $credentials = Database::get('db')->table('config')
--- a/models/database.php
+++ b/models/database.php
@ -36,9 +36,25 @@ function select($filename = '')
 {
    static $current_filename = DB_FILENAME;
-    if (ENABLE_MULTIPLE_DB && $filename !== '' && in_array($filename, get_all())) {
+    // function gets called with a filename at least once the database
-        $current_filename = $filename;
+    // connection is established
-        $_SESSION['config'] = \Model\Config\get_all();
+    if ($filename !== '') {
        if (ENABLE_MULTIPLE_DB && in_array($filename, get_all())) {
            $current_filename = $filename;
            // unset the authenticated flag if the database is changed
            if (empty($_SESSION['database']) || $_SESSION['database'] !== $filename) {
                if (isset($_SESSION)) {
                    unset($_SESSION['user']);
                }
                $_SESSION['database'] = $filename;
                $_SESSION['config'] = \Model\Config\get_all();
            }
        }
        else {
            return false;
        }
    }
    return $current_filename;
--- a/models/remember_me.php
+++ b/models/remember_me.php
@ -67,7 +67,6 @@ function authenticate()
            // Create the session
            $_SESSION['user'] = User\get($record['username']);
            $_SESSION['config'] = Config\get_all();
            return true;
        }
@ -124,12 +123,13 @@ function remove($session_id)
 */
 function destroy()
 {
    // delete the cookie without any conditions!
    delete_cookie();
    $credentials = read_cookie();
    if ($credentials !== false) {
        delete_cookie();
        Database::get('db')
             ->table(TABLE)
             ->eq('token', $credentials['token'])
@ -233,7 +233,9 @@ function decode_cookie($value)
 {
    @list($database, $token, $sequence) = explode('|', $value);
-    DatabaseModel\select(base64_decode($database));
+    if (! DatabaseModel\select(base64_decode($database))) {
        return false;
    }
    return array(
        'token' => $token,
--- a/models/user.php
+++ b/models/user.php
@ -10,18 +10,15 @@ use Model\RememberMe;
 use Model\Database as DatabaseModel;
 // Check if the user is logged
-function is_logged()
+function is_loggedin()
 {
    return ! empty($_SESSION['user']);
 }
-// Check if the logged user is the right one
+function logout()
 function is_user_session()
 {
-    return Database::get('db')
+    \Model\RememberMe\destroy();
-        ->table('config')
+    \PicoFarad\Session\close();
        ->eq('username', $_SESSION['user']['username'])
        ->count() === 1;
 }
 // Get a user by username