fix: Security bug in session env
This commit is contained in:
JT Smith
parent
63b22dc502
commit
a440cb5f41
10 changed files with 30 additions and 16 deletions
|
|
@ -66,13 +66,26 @@ The name of the variable.
|
|||
sub get {
|
||||
my $self = shift;
|
||||
my $var = shift;
|
||||
if ($var eq "REMOTE_ADDR" && $self->{_env}{HTTP_X_FORWARDED_FOR} ne "") {
|
||||
return $self->{_env}{HTTP_X_FORWARDED_FOR};
|
||||
}
|
||||
return $self->{_env}{$var};
|
||||
}
|
||||
|
||||
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
=head2 getIp ( )
|
||||
|
||||
Returns the user's real IP address. Normally this is REMOTE_ADDR, but if they go through a proxy server it might be in HTTP_X_FORWARDED_FOR. This method attempts to figure out what the most likely IP is for the user. Note that it's possible to spoof this and therefore shouldn't be used as your only security mechanism for validating a user.
|
||||
=cut
|
||||
|
||||
sub getIp {
|
||||
my $self = shift;
|
||||
if ($self->get("HTTP_X_FORWARDED_FOR") =~ m/(\d+\.\d+\.\d+\.\d+)/) {
|
||||
return $1;
|
||||
}
|
||||
return $self->get("REMOTE_ADDR");
|
||||
}
|
||||
|
||||
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
=head2 new ( )
|
||||
|
|
|
|||
|
|
@ -90,7 +90,7 @@ sub canShowDebug {
|
|||
my $ips = $self->session->setting->get("debugIp");
|
||||
$ips =~ s/\s+//g;
|
||||
my @ips = split(",", $ips);
|
||||
my $ok = WebGUI::Utility::isInSubnet($self->session->env->get("REMOTE_ADDR"), [ @ips] );
|
||||
my $ok = WebGUI::Utility::isInSubnet($self->session->env->getIp, [ @ips] );
|
||||
return $ok;
|
||||
}
|
||||
|
||||
|
|
@ -105,7 +105,7 @@ Returns true if the user meets the conditions to see performance indicators and
|
|||
sub canShowPerformanceIndicators {
|
||||
my $self = shift;
|
||||
my $mask = $self->session->setting->get("debugIp");
|
||||
my $ip = $self->session->env->get("REMOTE_ADDR");
|
||||
my $ip = $self->session->env->getIp;
|
||||
return (
|
||||
(
|
||||
$self->session->setting->get("showPerformanceIndicators")
|
||||
|
|
@ -331,7 +331,7 @@ sub security {
|
|||
my $self = shift;
|
||||
my $message = shift;
|
||||
$self->warn($self->session->user->username." (".$self->session->user->userId.") connecting from "
|
||||
.$self->session->env->get("REMOTE_ADDR")." attempted to ".$message);
|
||||
.$self->session->env->getIp." attempted to ".$message);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -181,7 +181,7 @@ sub new {
|
|||
$self->start(1,$sessionId);
|
||||
} elsif ($self->{_var}{sessionId} ne "") {
|
||||
$self->{_var}{lastPageView} = $session->datetime->time();
|
||||
$self->{_var}{lastIP} = $session->env->get("REMOTE_ADDR");
|
||||
$self->{_var}{lastIP} = $session->env->getIp;
|
||||
$self->{_var}{expires} = $session->datetime->time() + $session->setting->get("sessionTimeout");
|
||||
$self->session->{_sessionId} = $self->{_var}{sessionId};
|
||||
$session->db->setRow("userSession","sessionId",$self->{_var});
|
||||
|
|
@ -232,7 +232,7 @@ sub start {
|
|||
$self->{_var} = {
|
||||
expires=>$self->session->datetime->time() + $self->session->setting->get("sessionTimeout"),
|
||||
lastPageView=>$self->session->datetime->time(),
|
||||
lastIP => $self->session->env->get("REMOTE_ADDR"),
|
||||
lastIP => $self->session->env->getIp,
|
||||
adminOn => 0,
|
||||
userId => $userId
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue