diff options
| author | Simon McVittie <smcv@debian.org> | 2017-01-11 13:12:50 +0000 |
|---|---|---|
| committer | Simon McVittie <smcv@debian.org> | 2017-01-11 18:11:06 +0000 |
| commit | f357856448ead271f6d85ab4d0015220a65877df (patch) | |
| tree | c80b408d1016735dc3f097502048a8415f25bc40 /IkiWiki | |
| parent | c7a4d5777261f0cad1e57d5b16788caaf0f74850 (diff) | |
| download | ikiwiki-f357856448ead271f6d85ab4d0015220a65877df.tar ikiwiki-f357856448ead271f6d85ab4d0015220a65877df.tar.gz | |
passwordauth: prevent authentication bypass via multiple name parameters
Calling CGI::FormBuilder::field with a name argument in list context
returns zero or more user-specified values of the named field, even
if that field was not declared as supporting multiple values.
Passing the result of field as a function parameter counts as list
context. This is the same bad behaviour that is now discouraged
for CGI::param.
In this case we pass the multiple values to CGI::Session::param.
That accessor has six possible calling conventions, of which four are
documented. If an attacker passes (2*n + 1) values for the 'name'
field, for example name=a&name=b&name=c, we end up in one of the
undocumented calling conventions for param:
# equivalent to: (name => 'a', b => 'c')
$session->param('name', 'a', 'b', 'c')
and the 'b' session parameter is unexpectedly set to an
attacker-specified value.
In particular, if an attacker "bob" specifies
name=bob&name=name&name=alice, then authentication is carried out
for "bob" but the CGI::Session ends up containing {name => 'alice'},
an authentication bypass vulnerability.
This vulnerability is tracked as OVE-20170111-0001.
(cherry picked from commit e909eb93f4530a175d622360a8433e833ecf0254)
Diffstat (limited to 'IkiWiki')
| -rw-r--r-- | IkiWiki/Plugin/passwordauth.pm | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/IkiWiki/Plugin/passwordauth.pm b/IkiWiki/Plugin/passwordauth.pm index fb3fd9ee1..0dde0386e 100644 --- a/IkiWiki/Plugin/passwordauth.pm +++ b/IkiWiki/Plugin/passwordauth.pm @@ -325,12 +325,13 @@ sub formbuilder (@) { if ($form->title eq "signin" || $form->title eq "register") { if (($form->submitted && $form->validate) || $do_register) { + my $user_name = $form->field('name'); + if ($form->submitted eq 'Login') { - $session->param("name", $form->field("name")); + $session->param("name", $user_name); IkiWiki::cgi_postsignin($cgi, $session); } elsif ($form->submitted eq 'Create Account') { - my $user_name=$form->field('name'); if (IkiWiki::userinfo_setall($user_name, { 'email' => $form->field('email'), 'regdate' => time})) { @@ -344,7 +345,6 @@ sub formbuilder (@) { } } elsif ($form->submitted eq 'Reset Password') { - my $user_name=$form->field("name"); my $email=IkiWiki::userinfo_get($user_name, "email"); if (! length $email) { error(gettext("No email address, so cannot email password reset instructions.")); |