[interchange-cvs] interchange - heins modified 3 files

interchange-cvs at icdevgroup.org interchange-cvs at icdevgroup.org
Fri Apr 16 12:31:05 EDT 2004


User:      heins
Date:      2004-04-16 16:31:04 GMT
Modified:  lib/Vend Config.pm Dispatch.pm UserDB.pm
Log:
* Remove security hole where by a non-admin user with write permission
  to files for ITL could elevate their login status to admin.

	logout=[userdb logout]
	[calc]
		$Config->{AdminUserDB}{default} = 1;
	[/calc]

	login=[userdb function=login username=mike password=pass]

  This would cause setting of $Vend::admin.

* Create a new %Global::ReadOnlyCfg hash with the pristine
  values from the initial configuration. At catalog configuration
  time, the values from AdminUserDB and UserDB_repository are
  copied over.

* The UserDB login function now references the read-only config
  to determine admin status.

* TODO: Make all UserDB.pm functions reference this read-only config.

* Not from an exploit, from a code read.

* TODO: Determine if 5.0 and/or 5.2 should be patched.

Revision  Changes    Path
2.139     +16 -2     interchange/lib/Vend/Config.pm


rev 2.139, prev_rev 2.138
Index: Config.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Config.pm,v
retrieving revision 2.138
retrieving revision 2.139
diff -u -r2.138 -r2.139
--- Config.pm	11 Apr 2004 16:34:50 -0000	2.138
+++ Config.pm	16 Apr 2004 16:31:04 -0000	2.139
@@ -1,6 +1,6 @@
 # Vend::Config - Configure Interchange
 #
-# $Id: Config.pm,v 2.138 2004/04/11 16:34:50 mheins Exp $
+# $Id: Config.pm,v 2.139 2004/04/16 16:31:04 mheins Exp $
 #
 # Copyright (C) 2002-2003 Interchange Development Group
 # Copyright (C) 1996-2002 Red Hat, Inc.
@@ -48,7 +48,7 @@
 use Vend::File;
 use Vend::Data;
 
-$VERSION = substr(q$Revision: 2.138 $, 10);
+$VERSION = substr(q$Revision: 2.139 $, 10);
 
 my %CDname;
 my %CPname;
@@ -1017,6 +1017,7 @@
 
 	finalize_mapped_code();
 
+	set_readonly_config();
 	# Ugly legacy stuff so API won't break
 	$C->{Special} = $C->{SpecialPage} if defined $C->{SpecialPage};
 	return $C;
@@ -2580,6 +2581,19 @@
 
 sub set_global_defaults {
 	## Nothing here currently
+}
+
+my @readonly_members = qw/
+	UserDB_repository
+	AdminUserDB
+/;
+
+sub set_readonly_config {
+	my $cat = $C->{CatalogName} or return;
+	my $ro = $Global::ReadOnlyCfg{$cat} ||= {};
+	for(@readonly_members) {
+		$ro->{$_} = copyref($C->{$_});
+	}
 }
 
 sub set_defaults {



1.39      +4 -2      interchange/lib/Vend/Dispatch.pm


rev 1.39, prev_rev 1.38
Index: Dispatch.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Dispatch.pm,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- Dispatch.pm	13 Apr 2004 01:10:14 -0000	1.38
+++ Dispatch.pm	16 Apr 2004 16:31:04 -0000	1.39
@@ -1,6 +1,6 @@
 # Vend::Dispatch - Handle Interchange page requests
 #
-# $Id: Dispatch.pm,v 1.38 2004/04/13 01:10:14 jon Exp $
+# $Id: Dispatch.pm,v 1.39 2004/04/16 16:31:04 mheins Exp $
 #
 # Copyright (C) 2002-2003 Interchange Development Group
 # Copyright (C) 2002 Mike Heins <mike at perusion.net>
@@ -26,7 +26,7 @@
 package Vend::Dispatch;
 
 use vars qw($VERSION);
-$VERSION = substr(q$Revision: 1.38 $, 10);
+$VERSION = substr(q$Revision: 1.39 $, 10);
 
 use POSIX qw(strftime);
 use Vend::Util;
@@ -966,6 +966,8 @@
 	}
 
 	$Vend::Cat = $Vend::Cfg->{CatalogName};
+	$Vend::ReadOnlyCfg = $Global::ReadOnlyCfg{$Vend::Cat};
+
 	my $catref = $Global::Catalog{$Vend::Cat};
 	if(! $Global::Foreground and defined $catref->{directive}) {
 		no strict 'refs';



2.29      +3 -3      interchange/lib/Vend/UserDB.pm


rev 2.29, prev_rev 2.28
Index: UserDB.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/UserDB.pm,v
retrieving revision 2.28
retrieving revision 2.29
diff -u -r2.28 -r2.29
--- UserDB.pm	16 Apr 2004 15:51:50 -0000	2.28
+++ UserDB.pm	16 Apr 2004 16:31:04 -0000	2.29
@@ -1,6 +1,6 @@
 # Vend::UserDB - Interchange user database functions
 #
-# $Id: UserDB.pm,v 2.28 2004/04/16 15:51:50 mheins Exp $
+# $Id: UserDB.pm,v 2.29 2004/04/16 16:31:04 mheins Exp $
 #
 # Copyright (C) 2002-2003 Interchange Development Group
 # Copyright (C) 1996-2002 Red Hat, Inc.
@@ -17,7 +17,7 @@
 
 package Vend::UserDB;
 
-$VERSION = substr(q$Revision: 2.28 $, 10);
+$VERSION = substr(q$Revision: 2.29 $, 10);
 
 use vars qw!
 	$VERSION
@@ -1716,7 +1716,7 @@
 			return undef;
 		}
 		if ($status = $user->login(%options) ) {
-			if( $Vend::Cfg->{AdminUserDB}{$user->{PROFILE}} ) {
+			if( $Vend::ReadOnlyCfg->{AdminUserDB}{$user->{PROFILE}} ) {
 				$Vend::admin = 1;
 			}
 			undef $Vend::Cookie;








More information about the interchange-cvs mailing list