Fix database hijacking
Check if a requested database can be selected. Error out if not. This prevents automatic fallbacks to the default database. Remove the authorized information from the session if a new database gets selected. Factor out logout function to reuse existing code.
This commit is contained in:
parent
32393d17af
commit
cfd03efc01
@ -11,31 +11,26 @@ Router\before(function($action) {
|
||||
|
||||
Session\open(BASE_URL_DIRECTORY, SESSION_SAVE_PATH);
|
||||
|
||||
// Select another database
|
||||
// Select the requested database. If it fails, logout to destroy session and
|
||||
// 'remember me' cookie
|
||||
if (! empty($_SESSION['database'])) {
|
||||
Model\Database\select($_SESSION['database']);
|
||||
}
|
||||
|
||||
// Authentication
|
||||
if (Model\User\is_logged()) {
|
||||
|
||||
if (! Model\User\is_user_session()) {
|
||||
Session\close();
|
||||
if (! Model\Database\select($_SESSION['database'])) {
|
||||
Model\User\logout();
|
||||
Response\redirect('?action=login');
|
||||
}
|
||||
|
||||
if (Model\RememberMe\has_cookie()) {
|
||||
Model\RememberMe\refresh();
|
||||
}
|
||||
}
|
||||
else {
|
||||
|
||||
if (! in_array($action, array('login', 'bookmark-feed', 'select-db'))) {
|
||||
// These actions are considered to be safe even for unauthenticated users
|
||||
$safe_actions = array('login', 'bookmark-feed', 'select-db', 'logout', 'notfound');
|
||||
|
||||
if ( ! Model\User\is_loggedin() && ! in_array($action, $safe_actions)) {
|
||||
if (! Model\RememberMe\authenticate()) {
|
||||
Model\User\logout();
|
||||
Response\redirect('?action=login');
|
||||
}
|
||||
}
|
||||
else if (Model\RememberMe\has_cookie()) {
|
||||
Model\RememberMe\refresh();
|
||||
}
|
||||
|
||||
// Load translations
|
||||
|
@ -17,7 +17,9 @@ else {
|
||||
}
|
||||
|
||||
if (! empty($options['database'])) {
|
||||
Model\Database\select($options['database']);
|
||||
if (! Model\Database\select($options['database'])) {
|
||||
die("Database ".$options['database']." not found\r\n");
|
||||
}
|
||||
}
|
||||
|
||||
$limit = ! empty($options['limit']) && ctype_digit($options['limit']) ? (int) $options['limit'] : Model\Feed\LIMIT_ALL;
|
||||
|
@ -30,7 +30,13 @@ function response(array $response)
|
||||
function auth()
|
||||
{
|
||||
if (! empty($_GET['database'])) {
|
||||
Model\Database\select($_GET['database']);
|
||||
if (! Model\Database\select($_GET['database'])) {
|
||||
// return unauthorized if the requested database could not be found
|
||||
return array(
|
||||
'api_version' => 3,
|
||||
'auth' => 0,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
$credentials = Database::get('db')->table('config')
|
||||
|
@ -36,10 +36,26 @@ function select($filename = '')
|
||||
{
|
||||
static $current_filename = DB_FILENAME;
|
||||
|
||||
if (ENABLE_MULTIPLE_DB && $filename !== '' && in_array($filename, get_all())) {
|
||||
// function gets called with a filename at least once the database
|
||||
// connection is established
|
||||
if ($filename !== '') {
|
||||
if (ENABLE_MULTIPLE_DB && in_array($filename, get_all())) {
|
||||
$current_filename = $filename;
|
||||
|
||||
// unset the authenticated flag if the database is changed
|
||||
if (empty($_SESSION['database']) || $_SESSION['database'] !== $filename) {
|
||||
if (isset($_SESSION)) {
|
||||
unset($_SESSION['user']);
|
||||
}
|
||||
|
||||
$_SESSION['database'] = $filename;
|
||||
$_SESSION['config'] = \Model\Config\get_all();
|
||||
}
|
||||
}
|
||||
else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return $current_filename;
|
||||
}
|
||||
|
@ -67,7 +67,6 @@ function authenticate()
|
||||
|
||||
// Create the session
|
||||
$_SESSION['user'] = User\get($record['username']);
|
||||
$_SESSION['config'] = Config\get_all();
|
||||
|
||||
return true;
|
||||
}
|
||||
@ -124,12 +123,13 @@ function remove($session_id)
|
||||
*/
|
||||
function destroy()
|
||||
{
|
||||
// delete the cookie without any conditions!
|
||||
delete_cookie();
|
||||
|
||||
$credentials = read_cookie();
|
||||
|
||||
if ($credentials !== false) {
|
||||
|
||||
delete_cookie();
|
||||
|
||||
Database::get('db')
|
||||
->table(TABLE)
|
||||
->eq('token', $credentials['token'])
|
||||
@ -233,7 +233,9 @@ function decode_cookie($value)
|
||||
{
|
||||
@list($database, $token, $sequence) = explode('|', $value);
|
||||
|
||||
DatabaseModel\select(base64_decode($database));
|
||||
if (! DatabaseModel\select(base64_decode($database))) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return array(
|
||||
'token' => $token,
|
||||
|
@ -10,18 +10,15 @@ use Model\RememberMe;
|
||||
use Model\Database as DatabaseModel;
|
||||
|
||||
// Check if the user is logged
|
||||
function is_logged()
|
||||
function is_loggedin()
|
||||
{
|
||||
return ! empty($_SESSION['user']);
|
||||
}
|
||||
|
||||
// Check if the logged user is the right one
|
||||
function is_user_session()
|
||||
function logout()
|
||||
{
|
||||
return Database::get('db')
|
||||
->table('config')
|
||||
->eq('username', $_SESSION['user']['username'])
|
||||
->count() === 1;
|
||||
\Model\RememberMe\destroy();
|
||||
\PicoFarad\Session\close();
|
||||
}
|
||||
|
||||
// Get a user by username
|
||||
|
Loading…
Reference in New Issue
Block a user