Created
July 16, 2014 15:29
-
-
Save asantoni/ef6fb236286f5b39b8f6 to your computer and use it in GitHub Desktop.
Airtime 2.5.1 session pinning patch (fixes CVE-2014-4915)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/airtime_mvc/application/Bootstrap.php b/airtime_mvc/application/Bootstrap.php | |
| index 74c1cd6..5bafe0f 100644 | |
| --- a/airtime_mvc/application/Bootstrap.php | |
| +++ b/airtime_mvc/application/Bootstrap.php | |
| @@ -14,8 +14,10 @@ require_once "DateHelper.php"; | |
| require_once "OsPath.php"; | |
| require_once "Database.php"; | |
| require_once "Timezone.php"; | |
| +require_once "Auth.php"; | |
| require_once __DIR__.'/forms/helpers/ValidationTypes.php'; | |
| require_once __DIR__.'/controllers/plugins/RabbitMqPlugin.php'; | |
| + | |
| require_once (APPLICATION_PATH."/logging/Logging.php"); | |
| Logging::setLogPath('/var/log/airtime/zendphp.log'); | |
| @@ -25,6 +27,8 @@ require_once __DIR__."/configs/navigation.php"; | |
| Zend_Validate::setDefaultNamespaces("Zend"); | |
| +Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance()); | |
| + | |
| $front = Zend_Controller_Front::getInstance(); | |
| $front->registerPlugin(new RabbitMqPlugin()); | |
| diff --git a/airtime_mvc/application/controllers/LoginController.php b/airtime_mvc/application/controllers/LoginController.php | |
| index 4c58a6b..84af7f9 100644 | |
| --- a/airtime_mvc/application/controllers/LoginController.php | |
| +++ b/airtime_mvc/application/controllers/LoginController.php | |
| @@ -14,9 +14,10 @@ class LoginController extends Zend_Controller_Action | |
| $request = $this->getRequest(); | |
| Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA')); | |
| - if (Zend_Auth::getInstance()->hasIdentity()) | |
| + $auth = Zend_Auth::getInstance(); | |
| + | |
| + if ($auth->hasIdentity()) | |
| { | |
| - | |
| $this->_redirect('Showbuilder'); | |
| } | |
| @@ -52,8 +53,7 @@ class LoginController extends Zend_Controller_Action | |
| //pass to the adapter the submitted username and password | |
| $authAdapter->setIdentity($username) | |
| ->setCredential($password); | |
| - | |
| - $auth = Zend_Auth::getInstance(); | |
| + | |
| $result = $auth->authenticate($authAdapter); | |
| if ($result->isValid()) { | |
| //all info about this user from the login table omit only the password | |
| @@ -66,14 +66,12 @@ class LoginController extends Zend_Controller_Action | |
| Application_Model_LoginAttempts::resetAttempts($_SERVER['REMOTE_ADDR']); | |
| Application_Model_Subjects::resetLoginAttempts($username); | |
| - $tempSess = new Zend_Session_Namespace("referrer"); | |
| - $tempSess->referrer = 'login'; | |
| - | |
| //set the user locale in case user changed it in when logging in | |
| Application_Model_Preference::SetUserLocale($locale); | |
| $this->_redirect('Showbuilder'); | |
| } else { | |
| + | |
| $message = _("Wrong username or password provided. Please try again."); | |
| Application_Model_Subjects::increaseLoginAttempts($username); | |
| Application_Model_LoginAttempts::increaseAttempts($_SERVER['REMOTE_ADDR']); | |
| @@ -96,7 +94,8 @@ class LoginController extends Zend_Controller_Action | |
| public function logoutAction() | |
| { | |
| - Zend_Auth::getInstance()->clearIdentity(); | |
| + $auth = Zend_Auth::getInstance(); | |
| + $auth->clearIdentity(); | |
| $this->_redirect('showbuilder/index'); | |
| } | |
| diff --git a/airtime_mvc/application/controllers/plugins/Acl_plugin.php b/airtime_mvc/application/controllers/plugins/Acl_plugin.php | |
| index 44555e5..2771b11 100644 | |
| --- a/airtime_mvc/application/controllers/plugins/Acl_plugin.php | |
| +++ b/airtime_mvc/application/controllers/plugins/Acl_plugin.php | |
| @@ -109,9 +109,9 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract | |
| public function preDispatch(Zend_Controller_Request_Abstract $request) | |
| { | |
| $controller = strtolower($request->getControllerName()); | |
| + Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance()); | |
| if (in_array($controller, array("api", "auth", "locale"))) { | |
| - | |
| $this->setRoleName("G"); | |
| } elseif (!Zend_Auth::getInstance()->hasIdentity()) { | |
| diff --git a/airtime_mvc/application/models/Auth.php b/airtime_mvc/application/models/Auth.php | |
| index 104ee80..37b9cae 100644 | |
| --- a/airtime_mvc/application/models/Auth.php | |
| +++ b/airtime_mvc/application/models/Auth.php | |
| @@ -101,4 +101,18 @@ class Application_Model_Auth | |
| return $string; | |
| } | |
| + | |
| + /** It is essential to do this before interacting with Zend_Auth otherwise sessions could be shared between | |
| + * different copies of Airtime on the same webserver. This essentially pins this session to: | |
| + * - The server hostname - including subdomain so we segment multiple Airtime installs on different subdomains | |
| + * - The remote IP of the browser - to help prevent session hijacking | |
| + * - The client ID - same reason as server hostname | |
| + * @param Zend_Auth $auth Get this with Zend_Auth::getInstance(). | |
| + */ | |
| + public static function pinSessionToClient($auth) | |
| + { | |
| + $serverName = isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : ""; | |
| + $remoteAddr = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : ""; | |
| + $auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $serverName . $remoteAddr . Application_Model_Preference::GetClientId())); | |
| + } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment