[interchange-cvs] interchange - heins modified 3 files
interchange-cvs at icdevgroup.org
interchange-cvs at icdevgroup.org
Fri Apr 16 12:31:05 EDT 2004
User: heins
Date: 2004-04-16 16:31:04 GMT
Modified: lib/Vend Config.pm Dispatch.pm UserDB.pm
Log:
* Remove security hole where by a non-admin user with write permission
to files for ITL could elevate their login status to admin.
logout=[userdb logout]
[calc]
$Config->{AdminUserDB}{default} = 1;
[/calc]
login=[userdb function=login username=mike password=pass]
This would cause setting of $Vend::admin.
* Create a new %Global::ReadOnlyCfg hash with the pristine
values from the initial configuration. At catalog configuration
time, the values from AdminUserDB and UserDB_repository are
copied over.
* The UserDB login function now references the read-only config
to determine admin status.
* TODO: Make all UserDB.pm functions reference this read-only config.
* Not from an exploit, from a code read.
* TODO: Determine if 5.0 and/or 5.2 should be patched.
Revision Changes Path
2.139 +16 -2 interchange/lib/Vend/Config.pm
rev 2.139, prev_rev 2.138
Index: Config.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Config.pm,v
retrieving revision 2.138
retrieving revision 2.139
diff -u -r2.138 -r2.139
--- Config.pm 11 Apr 2004 16:34:50 -0000 2.138
+++ Config.pm 16 Apr 2004 16:31:04 -0000 2.139
@@ -1,6 +1,6 @@
# Vend::Config - Configure Interchange
#
-# $Id: Config.pm,v 2.138 2004/04/11 16:34:50 mheins Exp $
+# $Id: Config.pm,v 2.139 2004/04/16 16:31:04 mheins Exp $
#
# Copyright (C) 2002-2003 Interchange Development Group
# Copyright (C) 1996-2002 Red Hat, Inc.
@@ -48,7 +48,7 @@
use Vend::File;
use Vend::Data;
-$VERSION = substr(q$Revision: 2.138 $, 10);
+$VERSION = substr(q$Revision: 2.139 $, 10);
my %CDname;
my %CPname;
@@ -1017,6 +1017,7 @@
finalize_mapped_code();
+ set_readonly_config();
# Ugly legacy stuff so API won't break
$C->{Special} = $C->{SpecialPage} if defined $C->{SpecialPage};
return $C;
@@ -2580,6 +2581,19 @@
sub set_global_defaults {
## Nothing here currently
+}
+
+my @readonly_members = qw/
+ UserDB_repository
+ AdminUserDB
+/;
+
+sub set_readonly_config {
+ my $cat = $C->{CatalogName} or return;
+ my $ro = $Global::ReadOnlyCfg{$cat} ||= {};
+ for(@readonly_members) {
+ $ro->{$_} = copyref($C->{$_});
+ }
}
sub set_defaults {
1.39 +4 -2 interchange/lib/Vend/Dispatch.pm
rev 1.39, prev_rev 1.38
Index: Dispatch.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Dispatch.pm,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- Dispatch.pm 13 Apr 2004 01:10:14 -0000 1.38
+++ Dispatch.pm 16 Apr 2004 16:31:04 -0000 1.39
@@ -1,6 +1,6 @@
# Vend::Dispatch - Handle Interchange page requests
#
-# $Id: Dispatch.pm,v 1.38 2004/04/13 01:10:14 jon Exp $
+# $Id: Dispatch.pm,v 1.39 2004/04/16 16:31:04 mheins Exp $
#
# Copyright (C) 2002-2003 Interchange Development Group
# Copyright (C) 2002 Mike Heins <mike at perusion.net>
@@ -26,7 +26,7 @@
package Vend::Dispatch;
use vars qw($VERSION);
-$VERSION = substr(q$Revision: 1.38 $, 10);
+$VERSION = substr(q$Revision: 1.39 $, 10);
use POSIX qw(strftime);
use Vend::Util;
@@ -966,6 +966,8 @@
}
$Vend::Cat = $Vend::Cfg->{CatalogName};
+ $Vend::ReadOnlyCfg = $Global::ReadOnlyCfg{$Vend::Cat};
+
my $catref = $Global::Catalog{$Vend::Cat};
if(! $Global::Foreground and defined $catref->{directive}) {
no strict 'refs';
2.29 +3 -3 interchange/lib/Vend/UserDB.pm
rev 2.29, prev_rev 2.28
Index: UserDB.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/UserDB.pm,v
retrieving revision 2.28
retrieving revision 2.29
diff -u -r2.28 -r2.29
--- UserDB.pm 16 Apr 2004 15:51:50 -0000 2.28
+++ UserDB.pm 16 Apr 2004 16:31:04 -0000 2.29
@@ -1,6 +1,6 @@
# Vend::UserDB - Interchange user database functions
#
-# $Id: UserDB.pm,v 2.28 2004/04/16 15:51:50 mheins Exp $
+# $Id: UserDB.pm,v 2.29 2004/04/16 16:31:04 mheins Exp $
#
# Copyright (C) 2002-2003 Interchange Development Group
# Copyright (C) 1996-2002 Red Hat, Inc.
@@ -17,7 +17,7 @@
package Vend::UserDB;
-$VERSION = substr(q$Revision: 2.28 $, 10);
+$VERSION = substr(q$Revision: 2.29 $, 10);
use vars qw!
$VERSION
@@ -1716,7 +1716,7 @@
return undef;
}
if ($status = $user->login(%options) ) {
- if( $Vend::Cfg->{AdminUserDB}{$user->{PROFILE}} ) {
+ if( $Vend::ReadOnlyCfg->{AdminUserDB}{$user->{PROFILE}} ) {
$Vend::admin = 1;
}
undef $Vend::Cookie;
More information about the interchange-cvs
mailing list