Fix database hijacking

Check if a requested database can be selected. Error out if not. This prevents automatic fallbacks to the default database. Remove the authorized information from the session if a new database gets selected. Factor out logout function to reuse existing code.
2015-01-17 19:35:59 +01:00 · 2015-01-17 19:35:59 +01:00 · cfd03efc01
commit cfd03efc01
parent 32393d17af
6 changed files with 53 additions and 35 deletions
--- a/controllers/common.php
+++ b/controllers/common.php
@ -11,31 +11,26 @@ Router\before(function($action) {

    Session\open(BASE_URL_DIRECTORY, SESSION_SAVE_PATH);

-    // Select another database
+    // Select the requested database. If it fails, logout to destroy session and
+    // 'remember me' cookie
    if (! empty($_SESSION['database'])) {
-        Model\Database\select($_SESSION['database']);
-    }
-
-    // Authentication
-    if (Model\User\is_logged()) {
-
-        if (! Model\User\is_user_session()) {
-            Session\close();
+        if (! Model\Database\select($_SESSION['database'])) {
+            Model\User\logout();
            Response\redirect('?action=login');
        }
+    }

-        if (Model\RememberMe\has_cookie()) {
-            Model\RememberMe\refresh();
+    // These actions are considered to be safe even for unauthenticated users
+    $safe_actions = array('login', 'bookmark-feed', 'select-db', 'logout', 'notfound');
+
+    if ( ! Model\User\is_loggedin() && ! in_array($action, $safe_actions)) {
+        if (! Model\RememberMe\authenticate()) {
+            Model\User\logout();
+            Response\redirect('?action=login');
        }
    }
-    else {
-
-        if (! in_array($action, array('login', 'bookmark-feed', 'select-db'))) {
-
-            if (! Model\RememberMe\authenticate()) {
-               Response\redirect('?action=login');
-            }
-        }
+    else if (Model\RememberMe\has_cookie()) {
+        Model\RememberMe\refresh();
    }

    // Load translations
--- a/cronjob.php
+++ b/cronjob.php
@ -17,7 +17,9 @@ else {
 }

 if (! empty($options['database'])) {
-    Model\Database\select($options['database']);
+    if (! Model\Database\select($options['database'])) {
+        die("Database ".$options['database']." not found\r\n");
+    }
 }

 $limit = ! empty($options['limit']) && ctype_digit($options['limit']) ? (int) $options['limit'] : Model\Feed\LIMIT_ALL;
--- a/fever/index.php
+++ b/fever/index.php
@ -30,7 +30,13 @@ function response(array $response)
 function auth()
 {
    if (! empty($_GET['database'])) {
-        Model\Database\select($_GET['database']);
+        if (! Model\Database\select($_GET['database'])) {
+            // return unauthorized if the requested database could not be found
+            return array(
+                'api_version' => 3,
+                'auth' => 0,
+            );
+        }
    }

    $credentials = Database::get('db')->table('config')
--- a/models/database.php
+++ b/models/database.php
@ -36,9 +36,25 @@ function select($filename = '')
 {
    static $current_filename = DB_FILENAME;

-    if (ENABLE_MULTIPLE_DB && $filename !== '' && in_array($filename, get_all())) {
-        $current_filename = $filename;
-        $_SESSION['config'] = \Model\Config\get_all();
+    // function gets called with a filename at least once the database
+    // connection is established
+    if ($filename !== '') {
+        if (ENABLE_MULTIPLE_DB && in_array($filename, get_all())) {
+            $current_filename = $filename;
+
+            // unset the authenticated flag if the database is changed
+            if (empty($_SESSION['database']) || $_SESSION['database'] !== $filename) {
+                if (isset($_SESSION)) {
+                    unset($_SESSION['user']);
+                }
+
+                $_SESSION['database'] = $filename;
+                $_SESSION['config'] = \Model\Config\get_all();
+            }
+        }
+        else {
+            return false;
+        }
    }

    return $current_filename;
--- a/models/remember_me.php
+++ b/models/remember_me.php
@ -67,7 +67,6 @@ function authenticate()

            // Create the session
            $_SESSION['user'] = User\get($record['username']);
-            $_SESSION['config'] = Config\get_all();

            return true;
        }
@ -124,12 +123,13 @@ function remove($session_id)
 */
 function destroy()
 {
+    // delete the cookie without any conditions!
+    delete_cookie();
+
    $credentials = read_cookie();

    if ($credentials !== false) {

-        delete_cookie();
-
        Database::get('db')
             ->table(TABLE)
             ->eq('token', $credentials['token'])
@ -233,7 +233,9 @@ function decode_cookie($value)
 {
    @list($database, $token, $sequence) = explode('|', $value);

-    DatabaseModel\select(base64_decode($database));
+    if (! DatabaseModel\select(base64_decode($database))) {
+        return false;
+    }

    return array(
        'token' => $token,
--- a/models/user.php
+++ b/models/user.php
@ -10,18 +10,15 @@ use Model\RememberMe;
 use Model\Database as DatabaseModel;

 // Check if the user is logged
-function is_logged()
+function is_loggedin()
 {
    return ! empty($_SESSION['user']);
 }

-// Check if the logged user is the right one
-function is_user_session()
+function logout()
 {
-    return Database::get('db')
-        ->table('config')
-        ->eq('username', $_SESSION['user']['username'])
-        ->count() === 1;
+    \Model\RememberMe\destroy();
+    \PicoFarad\Session\close();
 }

 // Get a user by username