From e3242461581873f1c1d34921d5437a3a6927c0e8 Mon Sep 17 00:00:00 2001 From: JT Smith Date: Mon, 19 Apr 2004 18:39:16 +0000 Subject: [PATCH] added some security improvements --- docs/changelog/6.x.x.txt | 9 +++++++++ docs/previousVersion.sql | 4 ++++ lib/WebGUI/Auth.pm | 29 +++++++++++++---------------- lib/WebGUI/Auth/WebGUI.pm | 23 +++++++++++------------ lib/WebGUI/Operation/Profile.pm | 2 +- lib/WebGUI/Session.pm | 3 +++ 6 files changed, 41 insertions(+), 29 deletions(-) diff --git a/docs/changelog/6.x.x.txt b/docs/changelog/6.x.x.txt index fee6cfad1..0b32c565c 100644 --- a/docs/changelog/6.x.x.txt +++ b/docs/changelog/6.x.x.txt @@ -7,6 +7,15 @@ - Added missing SQL Report help. - Changed the pagination template variables on SQL Report, Article, File Manager and USS to the standard pagination variables. + - A very special thanks to Len Kranendonk for the following security + improvements. + - Disabled anonymous registration by default for better security. + - Set session timeout to 1 hour by default for better security. + - Sessions now auto end themselves if they are used after their + expires timeout and before the scheduler has cleaned them up. + - Macros are now negated on user profile fields and authentication + fields. + 6.0.1 diff --git a/docs/previousVersion.sql b/docs/previousVersion.sql index 24df7b655..7b1747670 100644 --- a/docs/previousVersion.sql +++ b/docs/previousVersion.sql @@ -17969,4 +17969,8 @@ INSERT INTO wobject VALUES (5,1001,'USS',2,'Your Next Step',0,' To learn more ab INSERT INTO wobject VALUES (6,1002,'SyndicatedContent',1,'The Latest News',0,'This is the latest news from Plain Black and WebGUI pulled directly from the site every hour.',1076708567,3,1076709040,3,1,946710000,2082783600,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,1000,3,3,7,NULL); INSERT INTO wobject VALUES (7,1003,'DataForm',1,'Tell A Friend',0,'Tell a friend about WebGUI.',1076709292,3,1076709522,3,1,946710000,2082783600,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,1,3,3,7,NULL); INSERT INTO wobject VALUES (8,1004,'SiteMap',0,'Site Map',0,'',1001744792,3,1016077239,3,1,1001744792,1336444487,NULL,NULL,NULL,NULL,NULL,0,NULL,NULL,NULL,2,3,3,7,NULL); +update settings set value=0 where name='anonymousRegistration'; +update settings set value=3600 where name='sessionTimeout'; + + diff --git a/lib/WebGUI/Auth.pm b/lib/WebGUI/Auth.pm index c1406293b..ae0223992 100644 --- a/lib/WebGUI/Auth.pm +++ b/lib/WebGUI/Auth.pm @@ -406,33 +406,30 @@ sub displayAccount { =cut sub displayLogin { - my $self = shift; + my $self = shift; my $method = $_[0] || "login"; my $vars = $_[1]; my $template = $_[2] || 'Auth/'.$self->authMethod.'/Login'; - unless ($session{env}{REQUEST_URI} =~ "displayLogin" || $session{env}{REQUEST_URI} =~ "displayAccount" || - $session{env}{REQUEST_URI} =~ "logout" || $session{env}{REQUEST_URI} =~ "deactivateAccount"){ - WebGUI::Session::setScratch("redirectAfterLogin",$session{env}{REQUEST_URI}); + $session{env}{REQUEST_URI} =~ "logout" || $session{env}{REQUEST_URI} =~ "deactivateAccount"){ + WebGUI::Session::setScratch("redirectAfterLogin",$session{env}{REQUEST_URI}); } - $vars->{title} = WebGUI::International::get(66); - $vars->{'login.form.header'} = WebGUI::Form::formHeader({}); + $vars->{'login.form.header'} = WebGUI::Form::formHeader(); if ($session{setting}{encryptLogin}) { - $vars->{'login.form.header'} =~ s/http:/https:/; - } - $vars->{'login.form.hidden'} = WebGUI::Form::hidden({"name"=>"op","value"=>"auth"}); + $vars->{'login.form.header'} =~ s/http:/https:/; + } + $vars->{'login.form.hidden'} = WebGUI::Form::hidden({"name"=>"op","value"=>"auth"}); $vars->{'login.form.hidden'} .= WebGUI::Form::hidden({"name"=>"method","value"=>$method}); $vars->{'login.form.username'} = WebGUI::Form::text({"name"=>"username"}); - $vars->{'login.form.username.label'} = WebGUI::International::get(50); - $vars->{'login.form.password'} = WebGUI::Form::password({"name"=>"identifier"}); - $vars->{'login.form.password.label'} = WebGUI::International::get(51); + $vars->{'login.form.username.label'} = WebGUI::International::get(50); + $vars->{'login.form.password'} = WebGUI::Form::password({"name"=>"identifier"}); + $vars->{'login.form.password.label'} = WebGUI::International::get(51); $vars->{'login.form.submit'} = WebGUI::Form::submit({"value"=>WebGUI::International::get(52)}); $vars->{'login.form.footer'} = ""; - $vars->{'anonymousRegistration.isAllowed'} = ($session{setting}{anonymousRegistration}); - $vars->{'createAccount.url'} = WebGUI::URL::page('op=createAccount'); - $vars->{'createAccount.label'} = WebGUI::International::get(67); + $vars->{'createAccount.url'} = WebGUI::URL::page('op=createAccount'); + $vars->{'createAccount.label'} = WebGUI::International::get(67); return WebGUI::Template::process(WebGUI::Template::get(1,$template), $vars); } @@ -745,7 +742,7 @@ sub username { sub validUsername { my $self = shift; - my $username = $_[0]; + my $username = WebGUI::Macro::negate($_[0]); my $error = ""; if($self->_isDuplicateUsername($username)){ diff --git a/lib/WebGUI/Auth/WebGUI.pm b/lib/WebGUI/Auth/WebGUI.pm index 96c74b2ae..5c999a13a 100644 --- a/lib/WebGUI/Auth/WebGUI.pm +++ b/lib/WebGUI/Auth/WebGUI.pm @@ -15,6 +15,7 @@ use strict; use WebGUI::Auth; use WebGUI::DateTime; use WebGUI::HTMLForm; +use WebGUI::Macro; use WebGUI::Mail; use WebGUI::Session; use WebGUI::SQL; @@ -33,8 +34,8 @@ our @ISA = qw(WebGUI::Auth); sub _isValidPassword { my $self = shift; - my $password = shift; - my $confirm = shift; + my $password = WebGUI::Macro::negate(shift); + my $confirm = WebGUI::Macro::negate(shift); my $error = ""; if ($password ne $confirm) { @@ -244,16 +245,14 @@ sub displayAccount { =cut sub displayLogin { - my $self = shift; - my $vars; - return $self->displayAccount($_[0]) if ($self->userId != 1); - $vars->{'login.message'} = $_[0] if ($_[0]); - $vars->{'recoverPassword.isAllowed'} = $self->getSetting("passwordRecovery"); - $vars->{'recoverPassword.url'} = WebGUI::URL::page('op=recoverPassword'); - $vars->{'recoverPassword.label'} = WebGUI::International::get(59); - - - return $self->SUPER::displayLogin("login",$vars); + my $self = shift; + my $vars; + return $self->displayAccount($_[0]) if ($self->userId != 1); + $vars->{'login.message'} = $_[0] if ($_[0]); + $vars->{'recoverPassword.isAllowed'} = $self->getSetting("passwordRecovery"); + $vars->{'recoverPassword.url'} = WebGUI::URL::page('op=recoverPassword'); + $vars->{'recoverPassword.label'} = WebGUI::International::get(59); + return $self->SUPER::displayLogin("login",$vars); } #------------------------------------------------------------------- diff --git a/lib/WebGUI/Operation/Profile.pm b/lib/WebGUI/Operation/Profile.pm index b4644a365..a5c9ac85a 100644 --- a/lib/WebGUI/Operation/Profile.pm +++ b/lib/WebGUI/Operation/Profile.pm @@ -115,7 +115,7 @@ sub validateProfileData { $a = WebGUI::SQL->read("select * from userProfileField,userProfileCategory where userProfileField.profileCategoryId=userProfileCategory.profileCategoryId and userProfileCategory.editable=1 and userProfileField.editable=1 order by userProfileCategory.sequenceNumber,userProfileField.sequenceNumber"); while (%field = $a->hash) { - $data{$field{fieldName}} = WebGUI::FormProcessor::process($field{fieldName},$field{dataType}); + $data{$field{fieldName}} = WebGUI::Macro::negate(WebGUI::FormProcessor::process($field{fieldName},$field{dataType})); if ($field{required} && $data{$field{fieldName}} eq "") { $error .= '
  • '.(eval $field{fieldLabel}).' '.WebGUI::International::get(451); }elsif($field{fieldName} eq "email" && isDuplicateEmail($data{$field{fieldName}})){ diff --git a/lib/WebGUI/Session.pm b/lib/WebGUI/Session.pm index e7c50a7c4..2d46217b8 100644 --- a/lib/WebGUI/Session.pm +++ b/lib/WebGUI/Session.pm @@ -109,6 +109,9 @@ sub _setupSessionVars { tie %vars, 'Tie::CPHash'; if ($_[0] ne "") { %vars = WebGUI::SQL->quickHash("select * from userSession where sessionId='$_[0]'"); + if ($vars{expires} < _time()) { + WebGUI::Session::end($_[0]); + } if ($vars{sessionId} ne "") { $session{scratch} = WebGUI::SQL->buildHashRef("select name,value from userSessionScratch where sessionId=".quote($_[0]));