Fix database hijacking

Check if a requested database can be selected. Error out if not.
This prevents automatic fallbacks to the default database.

Remove the authorized information from the session if a new database
gets selected.

Factor out logout function to reuse existing code.
This commit is contained in:
Mathias Kresin 2015-01-17 19:35:59 +01:00
parent 32393d17af
commit cfd03efc01
6 changed files with 53 additions and 35 deletions

View File

@ -11,31 +11,26 @@ Router\before(function($action) {
Session\open(BASE_URL_DIRECTORY, SESSION_SAVE_PATH);
// Select another database
// Select the requested database. If it fails, logout to destroy session and
// 'remember me' cookie
if (! empty($_SESSION['database'])) {
Model\Database\select($_SESSION['database']);
}
// Authentication
if (Model\User\is_logged()) {
if (! Model\User\is_user_session()) {
Session\close();
if (! Model\Database\select($_SESSION['database'])) {
Model\User\logout();
Response\redirect('?action=login');
}
if (Model\RememberMe\has_cookie()) {
Model\RememberMe\refresh();
}
}
else {
if (! in_array($action, array('login', 'bookmark-feed', 'select-db'))) {
// These actions are considered to be safe even for unauthenticated users
$safe_actions = array('login', 'bookmark-feed', 'select-db', 'logout', 'notfound');
if ( ! Model\User\is_loggedin() && ! in_array($action, $safe_actions)) {
if (! Model\RememberMe\authenticate()) {
Model\User\logout();
Response\redirect('?action=login');
}
}
else if (Model\RememberMe\has_cookie()) {
Model\RememberMe\refresh();
}
// Load translations

View File

@ -17,7 +17,9 @@ else {
}
if (! empty($options['database'])) {
Model\Database\select($options['database']);
if (! Model\Database\select($options['database'])) {
die("Database ".$options['database']." not found\r\n");
}
}
$limit = ! empty($options['limit']) && ctype_digit($options['limit']) ? (int) $options['limit'] : Model\Feed\LIMIT_ALL;

View File

@ -30,7 +30,13 @@ function response(array $response)
function auth()
{
if (! empty($_GET['database'])) {
Model\Database\select($_GET['database']);
if (! Model\Database\select($_GET['database'])) {
// return unauthorized if the requested database could not be found
return array(
'api_version' => 3,
'auth' => 0,
);
}
}
$credentials = Database::get('db')->table('config')

View File

@ -36,10 +36,26 @@ function select($filename = '')
{
static $current_filename = DB_FILENAME;
if (ENABLE_MULTIPLE_DB && $filename !== '' && in_array($filename, get_all())) {
// function gets called with a filename at least once the database
// connection is established
if ($filename !== '') {
if (ENABLE_MULTIPLE_DB && in_array($filename, get_all())) {
$current_filename = $filename;
// unset the authenticated flag if the database is changed
if (empty($_SESSION['database']) || $_SESSION['database'] !== $filename) {
if (isset($_SESSION)) {
unset($_SESSION['user']);
}
$_SESSION['database'] = $filename;
$_SESSION['config'] = \Model\Config\get_all();
}
}
else {
return false;
}
}
return $current_filename;
}

View File

@ -67,7 +67,6 @@ function authenticate()
// Create the session
$_SESSION['user'] = User\get($record['username']);
$_SESSION['config'] = Config\get_all();
return true;
}
@ -124,12 +123,13 @@ function remove($session_id)
*/
function destroy()
{
// delete the cookie without any conditions!
delete_cookie();
$credentials = read_cookie();
if ($credentials !== false) {
delete_cookie();
Database::get('db')
->table(TABLE)
->eq('token', $credentials['token'])
@ -233,7 +233,9 @@ function decode_cookie($value)
{
@list($database, $token, $sequence) = explode('|', $value);
DatabaseModel\select(base64_decode($database));
if (! DatabaseModel\select(base64_decode($database))) {
return false;
}
return array(
'token' => $token,

View File

@ -10,18 +10,15 @@ use Model\RememberMe;
use Model\Database as DatabaseModel;
// Check if the user is logged
function is_logged()
function is_loggedin()
{
return ! empty($_SESSION['user']);
}
// Check if the logged user is the right one
function is_user_session()
function logout()
{
return Database::get('db')
->table('config')
->eq('username', $_SESSION['user']['username'])
->count() === 1;
\Model\RememberMe\destroy();
\PicoFarad\Session\close();
}
// Get a user by username