added some security improvements
This commit is contained in:
JT Smith
parent
ffd532dcf1
commit
e324246158
6 changed files with 41 additions and 29 deletions
|
|
@ -7,6 +7,15 @@
|
|||
- Added missing SQL Report help.
|
||||
- Changed the pagination template variables on SQL Report, Article, File
|
||||
Manager and USS to the standard pagination variables.
|
||||
- A very special thanks to Len Kranendonk for the following security
|
||||
improvements.
|
||||
- Disabled anonymous registration by default for better security.
|
||||
- Set session timeout to 1 hour by default for better security.
|
||||
- Sessions now auto end themselves if they are used after their
|
||||
expires timeout and before the scheduler has cleaned them up.
|
||||
- Macros are now negated on user profile fields and authentication
|
||||
fields.
|
||||
|
||||
|
||||
|
||||
6.0.1
|
||||
|
|
|
|||
|
|
@ -17969,4 +17969,8 @@ INSERT INTO wobject VALUES (5,1001,'USS',2,'Your Next Step',0,' To learn more ab
|
|||
INSERT INTO wobject VALUES (6,1002,'SyndicatedContent',1,'The Latest News',0,'This is the latest news from Plain Black and WebGUI pulled directly from the site every hour.',1076708567,3,1076709040,3,1,946710000,2082783600,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,1000,3,3,7,NULL);
|
||||
INSERT INTO wobject VALUES (7,1003,'DataForm',1,'Tell A Friend',0,'Tell a friend about WebGUI.',1076709292,3,1076709522,3,1,946710000,2082783600,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,1,3,3,7,NULL);
|
||||
INSERT INTO wobject VALUES (8,1004,'SiteMap',0,'Site Map',0,'',1001744792,3,1016077239,3,1,1001744792,1336444487,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,2,3,3,7,NULL);
|
||||
update settings set value=0 where name='anonymousRegistration';
|
||||
update settings set value=3600 where name='sessionTimeout';
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -406,33 +406,30 @@ sub displayAccount {
|
|||
=cut
|
||||
|
||||
sub displayLogin {
|
||||
my $self = shift;
|
||||
my $self = shift;
|
||||
my $method = $_[0] || "login";
|
||||
my $vars = $_[1];
|
||||
my $template = $_[2] || 'Auth/'.$self->authMethod.'/Login';
|
||||
|
||||
unless ($session{env}{REQUEST_URI} =~ "displayLogin" || $session{env}{REQUEST_URI} =~ "displayAccount" ||
|
||||
$session{env}{REQUEST_URI} =~ "logout" || $session{env}{REQUEST_URI} =~ "deactivateAccount"){
|
||||
WebGUI::Session::setScratch("redirectAfterLogin",$session{env}{REQUEST_URI});
|
||||
$session{env}{REQUEST_URI} =~ "logout" || $session{env}{REQUEST_URI} =~ "deactivateAccount"){
|
||||
WebGUI::Session::setScratch("redirectAfterLogin",$session{env}{REQUEST_URI});
|
||||
}
|
||||
|
||||
$vars->{title} = WebGUI::International::get(66);
|
||||
$vars->{'login.form.header'} = WebGUI::Form::formHeader({});
|
||||
$vars->{'login.form.header'} = WebGUI::Form::formHeader();
|
||||
if ($session{setting}{encryptLogin}) {
|
||||
$vars->{'login.form.header'} =~ s/http:/https:/;
|
||||
}
|
||||
$vars->{'login.form.hidden'} = WebGUI::Form::hidden({"name"=>"op","value"=>"auth"});
|
||||
$vars->{'login.form.header'} =~ s/http:/https:/;
|
||||
}
|
||||
$vars->{'login.form.hidden'} = WebGUI::Form::hidden({"name"=>"op","value"=>"auth"});
|
||||
$vars->{'login.form.hidden'} .= WebGUI::Form::hidden({"name"=>"method","value"=>$method});
|
||||
$vars->{'login.form.username'} = WebGUI::Form::text({"name"=>"username"});
|
||||
$vars->{'login.form.username.label'} = WebGUI::International::get(50);
|
||||
$vars->{'login.form.password'} = WebGUI::Form::password({"name"=>"identifier"});
|
||||
$vars->{'login.form.password.label'} = WebGUI::International::get(51);
|
||||
$vars->{'login.form.username.label'} = WebGUI::International::get(50);
|
||||
$vars->{'login.form.password'} = WebGUI::Form::password({"name"=>"identifier"});
|
||||
$vars->{'login.form.password.label'} = WebGUI::International::get(51);
|
||||
$vars->{'login.form.submit'} = WebGUI::Form::submit({"value"=>WebGUI::International::get(52)});
|
||||
$vars->{'login.form.footer'} = "</form>";
|
||||
|
||||
$vars->{'anonymousRegistration.isAllowed'} = ($session{setting}{anonymousRegistration});
|
||||
$vars->{'createAccount.url'} = WebGUI::URL::page('op=createAccount');
|
||||
$vars->{'createAccount.label'} = WebGUI::International::get(67);
|
||||
$vars->{'createAccount.url'} = WebGUI::URL::page('op=createAccount');
|
||||
$vars->{'createAccount.label'} = WebGUI::International::get(67);
|
||||
return WebGUI::Template::process(WebGUI::Template::get(1,$template), $vars);
|
||||
}
|
||||
|
||||
|
|
@ -745,7 +742,7 @@ sub username {
|
|||
|
||||
sub validUsername {
|
||||
my $self = shift;
|
||||
my $username = $_[0];
|
||||
my $username = WebGUI::Macro::negate($_[0]);
|
||||
my $error = "";
|
||||
|
||||
if($self->_isDuplicateUsername($username)){
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ use strict;
|
|||
use WebGUI::Auth;
|
||||
use WebGUI::DateTime;
|
||||
use WebGUI::HTMLForm;
|
||||
use WebGUI::Macro;
|
||||
use WebGUI::Mail;
|
||||
use WebGUI::Session;
|
||||
use WebGUI::SQL;
|
||||
|
|
@ -33,8 +34,8 @@ our @ISA = qw(WebGUI::Auth);
|
|||
|
||||
sub _isValidPassword {
|
||||
my $self = shift;
|
||||
my $password = shift;
|
||||
my $confirm = shift;
|
||||
my $password = WebGUI::Macro::negate(shift);
|
||||
my $confirm = WebGUI::Macro::negate(shift);
|
||||
my $error = "";
|
||||
|
||||
if ($password ne $confirm) {
|
||||
|
|
@ -244,16 +245,14 @@ sub displayAccount {
|
|||
=cut
|
||||
|
||||
sub displayLogin {
|
||||
my $self = shift;
|
||||
my $vars;
|
||||
return $self->displayAccount($_[0]) if ($self->userId != 1);
|
||||
$vars->{'login.message'} = $_[0] if ($_[0]);
|
||||
$vars->{'recoverPassword.isAllowed'} = $self->getSetting("passwordRecovery");
|
||||
$vars->{'recoverPassword.url'} = WebGUI::URL::page('op=recoverPassword');
|
||||
$vars->{'recoverPassword.label'} = WebGUI::International::get(59);
|
||||
|
||||
|
||||
return $self->SUPER::displayLogin("login",$vars);
|
||||
my $self = shift;
|
||||
my $vars;
|
||||
return $self->displayAccount($_[0]) if ($self->userId != 1);
|
||||
$vars->{'login.message'} = $_[0] if ($_[0]);
|
||||
$vars->{'recoverPassword.isAllowed'} = $self->getSetting("passwordRecovery");
|
||||
$vars->{'recoverPassword.url'} = WebGUI::URL::page('op=recoverPassword');
|
||||
$vars->{'recoverPassword.label'} = WebGUI::International::get(59);
|
||||
return $self->SUPER::displayLogin("login",$vars);
|
||||
}
|
||||
|
||||
#-------------------------------------------------------------------
|
||||
|
|
|
|||
|
|
@ -115,7 +115,7 @@ sub validateProfileData {
|
|||
$a = WebGUI::SQL->read("select * from userProfileField,userProfileCategory where userProfileField.profileCategoryId=userProfileCategory.profileCategoryId
|
||||
and userProfileCategory.editable=1 and userProfileField.editable=1 order by userProfileCategory.sequenceNumber,userProfileField.sequenceNumber");
|
||||
while (%field = $a->hash) {
|
||||
$data{$field{fieldName}} = WebGUI::FormProcessor::process($field{fieldName},$field{dataType});
|
||||
$data{$field{fieldName}} = WebGUI::Macro::negate(WebGUI::FormProcessor::process($field{fieldName},$field{dataType}));
|
||||
if ($field{required} && $data{$field{fieldName}} eq "") {
|
||||
$error .= '<li>'.(eval $field{fieldLabel}).' '.WebGUI::International::get(451);
|
||||
}elsif($field{fieldName} eq "email" && isDuplicateEmail($data{$field{fieldName}})){
|
||||
|
|
|
|||
|
|
@ -109,6 +109,9 @@ sub _setupSessionVars {
|
|||
tie %vars, 'Tie::CPHash';
|
||||
if ($_[0] ne "") {
|
||||
%vars = WebGUI::SQL->quickHash("select * from userSession where sessionId='$_[0]'");
|
||||
if ($vars{expires} < _time()) {
|
||||
WebGUI::Session::end($_[0]);
|
||||
}
|
||||
if ($vars{sessionId} ne "") {
|
||||
$session{scratch} = WebGUI::SQL->buildHashRef("select name,value from userSessionScratch
|
||||
where sessionId=".quote($_[0]));
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue