fix: Security bug in session env

2006-07-11 20:32:46 +00:00 · 2006-07-11 20:32:46 +00:00 · a440cb5f41
commit a440cb5f41
parent 63b22dc502
10 changed files with 30 additions and 16 deletions
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@ -17,6 +17,7 @@
 - fix: Add missing page on Problem With Request
 - fix: Avatar/photo upload not working
 - fix: Shortcut with content lock fails (Thanks to Michelle Lamar)
+ - fix: Security bug in session env


 7.0.0
--- a/lib/WebGUI/Asset/Post.pm
+++ b/lib/WebGUI/Asset/Post.pm
@ -532,7 +532,7 @@ sub hasRated {
        return 1 if $self->isPoster;
 	my $flag = 0;
 	if ($self->session->user->userId eq "1") {
-        	($flag) = $self->session->db->quickArray("select count(*) from Post_rating where assetId=? and ipAddress=?",[$self->getId, $self->session->env->get("REMOTE_ADDR")]);
+        	($flag) = $self->session->db->quickArray("select count(*) from Post_rating where assetId=? and ipAddress=?",[$self->getId, $self->session->env->getIp]);
 	} else {
        	($flag) = $self->session->db->quickArray("select count(*) from Post_rating where assetId=? and userId=?",[$self->getId, $self->session->user->userId]);
 	}
@ -776,7 +776,7 @@ sub rate {
 	return undef unless ($rating == -1 || $rating == 1);
 	unless ($self->hasRated) {
        	$self->session->db->write("insert into Post_rating (assetId,userId,ipAddress,dateOfRating,rating) values ("
-                	.$self->session->db->quote($self->getId).", ".$self->session->db->quote($self->session->user->userId).", ".$self->session->db->quote($self->session->env->get("REMOTE_ADDR")).",
+                	.$self->session->db->quote($self->getId).", ".$self->session->db->quote($self->session->user->userId).", ".$self->session->db->quote($self->session->env->getIp).",
 			".$self->session->datetime->time().", ".$self->session->db->quote($rating).")");
        	my ($sum) = $self->session->db->quickArray("select sum(rating) from Post_rating where assetId=".$self->session->db->quote($self->getId));
        	$self->update({rating=>$sum});
--- a/lib/WebGUI/Asset/Post/Thread.pm
+++ b/lib/WebGUI/Asset/Post/Thread.pm
@ -553,7 +553,7 @@ sub rate {
 	return undef unless ($rating == -1 || $rating == 1);
 	unless ($self->hasRated) {
 		$self->session->db->write("insert into Post_rating (assetId,userId,ipAddress,dateOfRating,rating) values ("
-			.$self->session->db->quote($self->getId).", ".$self->session->db->quote($self->session->user->userId).", ".$self->session->db->quote($self->session->env->get("REMOTE_ADDR")).",
+			.$self->session->db->quote($self->getId).", ".$self->session->db->quote($self->session->user->userId).", ".$self->session->db->quote($self->session->env->getIp).",
 		".$self->session->datetime->time().", ".$self->session->db->quote($rating).")");
 		my ($sum) = $self->session->db->quickArray("select sum(Post.rating) from Post left join asset on Post.assetId=asset.assetId where Post.threadId=".$self->session->db->quote($self->getId)." and Post.rating>0");
 		$self->update({rating=>$sum});
--- a/lib/WebGUI/Asset/Wobject/DataForm.pm
+++ b/lib/WebGUI/Asset/Wobject/DataForm.pm
@ -1091,7 +1091,7 @@ sub www_process {
                assetId=>$self->getId,
                userId=>$self->session->user->userId,
                username=>$self->session->user->username,
-                ipAddress=>$self->session->env->get("REMOTE_ADDR"),
+                ipAddress=>$self->session->env->getIp,
                submissionDate=>$self->session->datetime->time()
 		},0);
 	my ($var, %row, @errors, $updating, $hadErrors);
--- a/lib/WebGUI/Asset/Wobject/Poll.pm
+++ b/lib/WebGUI/Asset/Wobject/Poll.pm
@ -28,7 +28,7 @@ sub _hasVoted {
 	my $self = shift;
 	my ($hasVoted) = $self->session->db->quickArray("select count(*) from Poll_answer 
 		where assetId=".$self->session->db->quote($self->getId)." and ((userId=".$self->session->db->quote($self->session->user->userId)."
-		and userId<>'1') or (userId=".$self->session->db->quote($self->session->user->userId)." and ipAddress='".$self->session->env->get("REMOTE_ADDR")."'))");
+		and userId<>'1') or (userId=".$self->session->db->quote($self->session->user->userId)." and ipAddress='".$self->session->env->getIp."'))");
 	return $hasVoted;
 }

@ -412,7 +412,7 @@ sub www_vote {
 	my $self = shift;
 	my $u;
        if ($self->session->form->process("answer") ne "" && $self->session->user->isInGroup($self->get("voteGroup")) && !($self->_hasVoted())) {
-        	$self->setVote($self->session->form->process("answer"),$self->session->user->userId,$self->session->env->get("REMOTE_ADDR"));
+        	$self->setVote($self->session->form->process("answer"),$self->session->user->userId,$self->session->env->getIp);
 		if ($self->session->setting->get("useKarma")) {
 			$self->session->user->karma($self->get("karmaPerVote"),"Poll (".$self->getId.")","Voted on this poll.");
 		}
--- a/lib/WebGUI/Asset/Wobject/Survey.pm
+++ b/lib/WebGUI/Asset/Wobject/Survey.pm
@ -322,7 +322,7 @@ sub getEditForm {
 #-------------------------------------------------------------------
 sub getIp {
 	my $self = shift;
-	my $ip = ($self->get("anonymous")) ? substr(md5_hex($self->session->env->get("REMOTE_ADDR")),0,8) : $self->session->env->get("REMOTE_ADDR");
+	my $ip = ($self->get("anonymous")) ? substr(md5_hex($self->session->env->getIp),0,8) : $self->session->env->getIp;
 	return $ip;
 }

--- a/lib/WebGUI/Auth.pm
+++ b/lib/WebGUI/Auth.pm
@ -94,7 +94,7 @@ sub _isValidUsername {
 sub _logLogin {
 	my $self = shift;
 	$self->session->db->write("insert into userLoginLog values (".$self->session->db->quote($_[0]).",".$self->session->db->quote($_[1]).",".$self->session->datetime->time().","
-	.$self->session->db->quote($self->session->env->get("REMOTE_ADDR")).",".$self->session->db->quote($self->session->env->get("HTTP_USER_AGENT")).")");
+	.$self->session->db->quote($self->session->env->getIp).",".$self->session->db->quote($self->session->env->get("HTTP_USER_AGENT")).")");
 }


--- a/lib/WebGUI/Session/Env.pm
+++ b/lib/WebGUI/Session/Env.pm
@ -66,13 +66,26 @@ The name of the variable.
 sub get {
 	my $self = shift;
 	my $var = shift;
-        if ($var eq "REMOTE_ADDR" && $self->{_env}{HTTP_X_FORWARDED_FOR} ne "") {
-                return $self->{_env}{HTTP_X_FORWARDED_FOR};
-        }
 	return $self->{_env}{$var};
 }


+#-------------------------------------------------------------------
+
+=head2 getIp ( )
+
+Returns the user's real IP address. Normally this is REMOTE_ADDR, but if they go through a proxy server it might be in HTTP_X_FORWARDED_FOR. This method attempts to figure out what the most likely IP is for the user. Note that it's possible to spoof this and therefore shouldn't be used as your only security mechanism for validating a user.
+=cut
+
+sub getIp {
+	my $self = shift;
+        if ($self->get("HTTP_X_FORWARDED_FOR") =~ m/(\d+\.\d+\.\d+\.\d+)/) {
+                return $1;
+        } 
+	return $self->get("REMOTE_ADDR");
+}
+
+
 #-------------------------------------------------------------------

 =head2 new ( )
--- a/lib/WebGUI/Session/ErrorHandler.pm
+++ b/lib/WebGUI/Session/ErrorHandler.pm
@ -90,7 +90,7 @@ sub canShowDebug {
 	my $ips = $self->session->setting->get("debugIp");
 	$ips =~ s/\s+//g;
 	my @ips = split(",", $ips);
-	my $ok = WebGUI::Utility::isInSubnet($self->session->env->get("REMOTE_ADDR"), [ @ips] );
+	my $ok = WebGUI::Utility::isInSubnet($self->session->env->getIp, [ @ips] );
 	return $ok;
 }

@ -105,7 +105,7 @@ Returns true if the user meets the conditions to see performance indicators and
 sub canShowPerformanceIndicators {
 	my $self = shift;
 	my $mask = $self->session->setting->get("debugIp");
-	my $ip = $self->session->env->get("REMOTE_ADDR");
+	my $ip = $self->session->env->getIp;
       	return (
 			(
 				$self->session->setting->get("showPerformanceIndicators")
@ -331,7 +331,7 @@ sub security {
 	my $self = shift;
 	my $message = shift;
 	$self->warn($self->session->user->username." (".$self->session->user->userId.") connecting from "
-	.$self->session->env->get("REMOTE_ADDR")." attempted to ".$message);
+	.$self->session->env->getIp." attempted to ".$message);
 }


--- a/lib/WebGUI/Session/Var.pm
+++ b/lib/WebGUI/Session/Var.pm
@ -181,7 +181,7 @@ sub new {
 			$self->start(1,$sessionId);
 		} elsif ($self->{_var}{sessionId} ne "") {
 			$self->{_var}{lastPageView} = $session->datetime->time();
-			$self->{_var}{lastIP} = $session->env->get("REMOTE_ADDR");
+			$self->{_var}{lastIP} = $session->env->getIp;
 			$self->{_var}{expires} = $session->datetime->time() + $session->setting->get("sessionTimeout");
 			$self->session->{_sessionId} = $self->{_var}{sessionId};
 			$session->db->setRow("userSession","sessionId",$self->{_var});
@ -232,7 +232,7 @@ sub start {
 	$self->{_var} = {
 		expires=>$self->session->datetime->time() + $self->session->setting->get("sessionTimeout"),
 		lastPageView=>$self->session->datetime->time(),
-		lastIP => $self->session->env->get("REMOTE_ADDR"),
+		lastIP => $self->session->env->getIp,
 		adminOn => 0,
 		userId => $userId
 	};