Fossil SCM
Only require CSRF checks for /chat-send if the request was authenticated by cookie. Follow-up to [4caa8cb9ff819f7e].
Commit
10006db404afa55865890ad8884b6d30076cb7ce30746642fb58b3571b972daa
Parent
5f65ed513db93fb…
4 files changed
+1
-1
+6
+7
+5
+1
-1
| --- src/chat.c | ||
| +++ src/chat.c | ||
| @@ -443,11 +443,11 @@ | ||
| 443 | 443 | const char *zUserName; |
| 444 | 444 | login_check_credentials(); |
| 445 | 445 | if( 0==g.perm.Chat ) { |
| 446 | 446 | chat_emit_permissions_error(0); |
| 447 | 447 | return; |
| 448 | - }else if( 0==cgi_csrf_safe(1) ){ | |
| 448 | + }else if( g.eAuthMethod==AUTH_COOKIE && 0==cgi_csrf_safe(1) ){ | |
| 449 | 449 | chat_emit_csrf_error(); |
| 450 | 450 | return; |
| 451 | 451 | } |
| 452 | 452 | zUserName = (g.zLogin && g.zLogin[0]) ? g.zLogin : "nobody"; |
| 453 | 453 | nByte = atoi(PD("file:bytes","0")); |
| 454 | 454 |
| --- src/chat.c | |
| +++ src/chat.c | |
| @@ -443,11 +443,11 @@ | |
| 443 | const char *zUserName; |
| 444 | login_check_credentials(); |
| 445 | if( 0==g.perm.Chat ) { |
| 446 | chat_emit_permissions_error(0); |
| 447 | return; |
| 448 | }else if( 0==cgi_csrf_safe(1) ){ |
| 449 | chat_emit_csrf_error(); |
| 450 | return; |
| 451 | } |
| 452 | zUserName = (g.zLogin && g.zLogin[0]) ? g.zLogin : "nobody"; |
| 453 | nByte = atoi(PD("file:bytes","0")); |
| 454 |
| --- src/chat.c | |
| +++ src/chat.c | |
| @@ -443,11 +443,11 @@ | |
| 443 | const char *zUserName; |
| 444 | login_check_credentials(); |
| 445 | if( 0==g.perm.Chat ) { |
| 446 | chat_emit_permissions_error(0); |
| 447 | return; |
| 448 | }else if( g.eAuthMethod==AUTH_COOKIE && 0==cgi_csrf_safe(1) ){ |
| 449 | chat_emit_csrf_error(); |
| 450 | return; |
| 451 | } |
| 452 | zUserName = (g.zLogin && g.zLogin[0]) ? g.zLogin : "nobody"; |
| 453 | nByte = atoi(PD("file:bytes","0")); |
| 454 |
+6
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -1371,10 +1371,11 @@ | ||
| 1371 | 1371 | ** g.zLogin Database USER.LOGIN value. NULL for user "nobody" |
| 1372 | 1372 | ** g.perm Permissions granted to this user |
| 1373 | 1373 | ** g.anon Permissions that would be available to anonymous |
| 1374 | 1374 | ** g.isRobot True if the client is known to be a spider or robot |
| 1375 | 1375 | ** g.perm Populated based on user account's capabilities |
| 1376 | +** g.eAuthMethod The mechanism used for authentication | |
| 1376 | 1377 | ** |
| 1377 | 1378 | */ |
| 1378 | 1379 | void login_check_credentials(void){ |
| 1379 | 1380 | int uid = 0; /* User id */ |
| 1380 | 1381 | const char *zCookie; /* Text of the login cookie */ |
| @@ -1411,10 +1412,11 @@ | ||
| 1411 | 1412 | } |
| 1412 | 1413 | g.zLogin = db_text("?", "SELECT login FROM user WHERE uid=%d", uid); |
| 1413 | 1414 | zCap = "sxy"; |
| 1414 | 1415 | g.noPswd = 1; |
| 1415 | 1416 | g.isRobot = 0; |
| 1417 | + g.eAuthMethod = AUTH_LOCAL; | |
| 1416 | 1418 | zSeed = db_text("??", "SELECT uid||quote(login)||quote(pw)||quote(cookie)" |
| 1417 | 1419 | " FROM user WHERE uid=%d", uid); |
| 1418 | 1420 | login_create_csrf_secret(zSeed); |
| 1419 | 1421 | fossil_free(zSeed); |
| 1420 | 1422 | } |
| @@ -1490,10 +1492,11 @@ | ||
| 1490 | 1492 | " AND octet_length(cap)>0" |
| 1491 | 1493 | " AND octet_length(pw)>0"); |
| 1492 | 1494 | } |
| 1493 | 1495 | } |
| 1494 | 1496 | } |
| 1497 | + if( uid ) g.eAuthMethod = AUTH_COOKIE; | |
| 1495 | 1498 | login_create_csrf_secret(zHash); |
| 1496 | 1499 | } |
| 1497 | 1500 | |
| 1498 | 1501 | /* If no user found and the REMOTE_USER environment variable is set, |
| 1499 | 1502 | ** then accept the value of REMOTE_USER as the user. |
| @@ -1502,19 +1505,21 @@ | ||
| 1502 | 1505 | const char *zRemoteUser = P("REMOTE_USER"); |
| 1503 | 1506 | if( zRemoteUser && db_get_boolean("remote_user_ok",0) ){ |
| 1504 | 1507 | uid = db_int(0, "SELECT uid FROM user WHERE login=%Q" |
| 1505 | 1508 | " AND octet_length(cap)>0 AND octet_length(pw)>0", |
| 1506 | 1509 | zRemoteUser); |
| 1510 | + if( uid ) g.eAuthMethod = AUTH_ENV; | |
| 1507 | 1511 | } |
| 1508 | 1512 | } |
| 1509 | 1513 | |
| 1510 | 1514 | /* If the request didn't provide a login cookie or the login cookie didn't |
| 1511 | 1515 | ** match a known valid user, check the HTTP "Authorization" header and |
| 1512 | 1516 | ** see if those credentials are valid for a known user. |
| 1513 | 1517 | */ |
| 1514 | 1518 | if( uid==0 && db_get_boolean("http_authentication_ok",0) ){ |
| 1515 | 1519 | uid = login_basic_authentication(zIpAddr); |
| 1520 | + if( uid ) g.eAuthMethod = AUTH_HTTP; | |
| 1516 | 1521 | } |
| 1517 | 1522 | |
| 1518 | 1523 | /* Check for magic query parameters "resid" (for the username) and |
| 1519 | 1524 | ** "token" for the password. Both values (if they exist) will be |
| 1520 | 1525 | ** obfuscated. |
| @@ -1529,10 +1534,11 @@ | ||
| 1529 | 1534 | " WHERE login=%Q" |
| 1530 | 1535 | " AND (constant_time_cmp(pw,%Q)=0" |
| 1531 | 1536 | " OR constant_time_cmp(pw,%Q)=0)", |
| 1532 | 1537 | zUsr, zSha1Pw, zPW); |
| 1533 | 1538 | fossil_free(zSha1Pw); |
| 1539 | + if( uid ) g.eAuthMethod = AUTH_PW; | |
| 1534 | 1540 | } |
| 1535 | 1541 | } |
| 1536 | 1542 | |
| 1537 | 1543 | /* If no user found yet, try to log in as "nobody" */ |
| 1538 | 1544 | if( uid==0 ){ |
| 1539 | 1545 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -1371,10 +1371,11 @@ | |
| 1371 | ** g.zLogin Database USER.LOGIN value. NULL for user "nobody" |
| 1372 | ** g.perm Permissions granted to this user |
| 1373 | ** g.anon Permissions that would be available to anonymous |
| 1374 | ** g.isRobot True if the client is known to be a spider or robot |
| 1375 | ** g.perm Populated based on user account's capabilities |
| 1376 | ** |
| 1377 | */ |
| 1378 | void login_check_credentials(void){ |
| 1379 | int uid = 0; /* User id */ |
| 1380 | const char *zCookie; /* Text of the login cookie */ |
| @@ -1411,10 +1412,11 @@ | |
| 1411 | } |
| 1412 | g.zLogin = db_text("?", "SELECT login FROM user WHERE uid=%d", uid); |
| 1413 | zCap = "sxy"; |
| 1414 | g.noPswd = 1; |
| 1415 | g.isRobot = 0; |
| 1416 | zSeed = db_text("??", "SELECT uid||quote(login)||quote(pw)||quote(cookie)" |
| 1417 | " FROM user WHERE uid=%d", uid); |
| 1418 | login_create_csrf_secret(zSeed); |
| 1419 | fossil_free(zSeed); |
| 1420 | } |
| @@ -1490,10 +1492,11 @@ | |
| 1490 | " AND octet_length(cap)>0" |
| 1491 | " AND octet_length(pw)>0"); |
| 1492 | } |
| 1493 | } |
| 1494 | } |
| 1495 | login_create_csrf_secret(zHash); |
| 1496 | } |
| 1497 | |
| 1498 | /* If no user found and the REMOTE_USER environment variable is set, |
| 1499 | ** then accept the value of REMOTE_USER as the user. |
| @@ -1502,19 +1505,21 @@ | |
| 1502 | const char *zRemoteUser = P("REMOTE_USER"); |
| 1503 | if( zRemoteUser && db_get_boolean("remote_user_ok",0) ){ |
| 1504 | uid = db_int(0, "SELECT uid FROM user WHERE login=%Q" |
| 1505 | " AND octet_length(cap)>0 AND octet_length(pw)>0", |
| 1506 | zRemoteUser); |
| 1507 | } |
| 1508 | } |
| 1509 | |
| 1510 | /* If the request didn't provide a login cookie or the login cookie didn't |
| 1511 | ** match a known valid user, check the HTTP "Authorization" header and |
| 1512 | ** see if those credentials are valid for a known user. |
| 1513 | */ |
| 1514 | if( uid==0 && db_get_boolean("http_authentication_ok",0) ){ |
| 1515 | uid = login_basic_authentication(zIpAddr); |
| 1516 | } |
| 1517 | |
| 1518 | /* Check for magic query parameters "resid" (for the username) and |
| 1519 | ** "token" for the password. Both values (if they exist) will be |
| 1520 | ** obfuscated. |
| @@ -1529,10 +1534,11 @@ | |
| 1529 | " WHERE login=%Q" |
| 1530 | " AND (constant_time_cmp(pw,%Q)=0" |
| 1531 | " OR constant_time_cmp(pw,%Q)=0)", |
| 1532 | zUsr, zSha1Pw, zPW); |
| 1533 | fossil_free(zSha1Pw); |
| 1534 | } |
| 1535 | } |
| 1536 | |
| 1537 | /* If no user found yet, try to log in as "nobody" */ |
| 1538 | if( uid==0 ){ |
| 1539 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -1371,10 +1371,11 @@ | |
| 1371 | ** g.zLogin Database USER.LOGIN value. NULL for user "nobody" |
| 1372 | ** g.perm Permissions granted to this user |
| 1373 | ** g.anon Permissions that would be available to anonymous |
| 1374 | ** g.isRobot True if the client is known to be a spider or robot |
| 1375 | ** g.perm Populated based on user account's capabilities |
| 1376 | ** g.eAuthMethod The mechanism used for authentication |
| 1377 | ** |
| 1378 | */ |
| 1379 | void login_check_credentials(void){ |
| 1380 | int uid = 0; /* User id */ |
| 1381 | const char *zCookie; /* Text of the login cookie */ |
| @@ -1411,10 +1412,11 @@ | |
| 1412 | } |
| 1413 | g.zLogin = db_text("?", "SELECT login FROM user WHERE uid=%d", uid); |
| 1414 | zCap = "sxy"; |
| 1415 | g.noPswd = 1; |
| 1416 | g.isRobot = 0; |
| 1417 | g.eAuthMethod = AUTH_LOCAL; |
| 1418 | zSeed = db_text("??", "SELECT uid||quote(login)||quote(pw)||quote(cookie)" |
| 1419 | " FROM user WHERE uid=%d", uid); |
| 1420 | login_create_csrf_secret(zSeed); |
| 1421 | fossil_free(zSeed); |
| 1422 | } |
| @@ -1490,10 +1492,11 @@ | |
| 1492 | " AND octet_length(cap)>0" |
| 1493 | " AND octet_length(pw)>0"); |
| 1494 | } |
| 1495 | } |
| 1496 | } |
| 1497 | if( uid ) g.eAuthMethod = AUTH_COOKIE; |
| 1498 | login_create_csrf_secret(zHash); |
| 1499 | } |
| 1500 | |
| 1501 | /* If no user found and the REMOTE_USER environment variable is set, |
| 1502 | ** then accept the value of REMOTE_USER as the user. |
| @@ -1502,19 +1505,21 @@ | |
| 1505 | const char *zRemoteUser = P("REMOTE_USER"); |
| 1506 | if( zRemoteUser && db_get_boolean("remote_user_ok",0) ){ |
| 1507 | uid = db_int(0, "SELECT uid FROM user WHERE login=%Q" |
| 1508 | " AND octet_length(cap)>0 AND octet_length(pw)>0", |
| 1509 | zRemoteUser); |
| 1510 | if( uid ) g.eAuthMethod = AUTH_ENV; |
| 1511 | } |
| 1512 | } |
| 1513 | |
| 1514 | /* If the request didn't provide a login cookie or the login cookie didn't |
| 1515 | ** match a known valid user, check the HTTP "Authorization" header and |
| 1516 | ** see if those credentials are valid for a known user. |
| 1517 | */ |
| 1518 | if( uid==0 && db_get_boolean("http_authentication_ok",0) ){ |
| 1519 | uid = login_basic_authentication(zIpAddr); |
| 1520 | if( uid ) g.eAuthMethod = AUTH_HTTP; |
| 1521 | } |
| 1522 | |
| 1523 | /* Check for magic query parameters "resid" (for the username) and |
| 1524 | ** "token" for the password. Both values (if they exist) will be |
| 1525 | ** obfuscated. |
| @@ -1529,10 +1534,11 @@ | |
| 1534 | " WHERE login=%Q" |
| 1535 | " AND (constant_time_cmp(pw,%Q)=0" |
| 1536 | " OR constant_time_cmp(pw,%Q)=0)", |
| 1537 | zUsr, zSha1Pw, zPW); |
| 1538 | fossil_free(zSha1Pw); |
| 1539 | if( uid ) g.eAuthMethod = AUTH_PW; |
| 1540 | } |
| 1541 | } |
| 1542 | |
| 1543 | /* If no user found yet, try to log in as "nobody" */ |
| 1544 | if( uid==0 ){ |
| 1545 |
+7
| --- src/main.c | ||
| +++ src/main.c | ||
| @@ -236,10 +236,17 @@ | ||
| 236 | 236 | * applicable when using SEE on Windows or Linux. */ |
| 237 | 237 | #endif |
| 238 | 238 | int useLocalauth; /* No login required if from 127.0.0.1 */ |
| 239 | 239 | int noPswd; /* Logged in without password (on 127.0.0.1) */ |
| 240 | 240 | int userUid; /* Integer user id */ |
| 241 | + int eAuthMethod; /* How the user authenticated to us */ | |
| 242 | +# define AUTH_NONE 0 /* Not authenticated */ | |
| 243 | +# define AUTH_COOKIE 1 /* Authentication by cookie */ | |
| 244 | +# define AUTH_LOCAL 2 /* Uses loopback */ | |
| 245 | +# define AUTH_PW 3 /* Authentication by password */ | |
| 246 | +# define AUTH_ENV 4 /* Authenticated by REMOTE_USER environment var */ | |
| 247 | +# define AUTH_HTTP 5 /* HTTP Basic Authentication */ | |
| 241 | 248 | int isRobot; /* True if the client is definitely a robot. False |
| 242 | 249 | ** negatives are common for this flag */ |
| 243 | 250 | int comFmtFlags; /* Zero or more "COMMENT_PRINT_*" bit flags, should be |
| 244 | 251 | ** accessed through get_comment_format(). */ |
| 245 | 252 | const char *zSockName; /* Name of the unix-domain socket file */ |
| 246 | 253 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -236,10 +236,17 @@ | |
| 236 | * applicable when using SEE on Windows or Linux. */ |
| 237 | #endif |
| 238 | int useLocalauth; /* No login required if from 127.0.0.1 */ |
| 239 | int noPswd; /* Logged in without password (on 127.0.0.1) */ |
| 240 | int userUid; /* Integer user id */ |
| 241 | int isRobot; /* True if the client is definitely a robot. False |
| 242 | ** negatives are common for this flag */ |
| 243 | int comFmtFlags; /* Zero or more "COMMENT_PRINT_*" bit flags, should be |
| 244 | ** accessed through get_comment_format(). */ |
| 245 | const char *zSockName; /* Name of the unix-domain socket file */ |
| 246 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -236,10 +236,17 @@ | |
| 236 | * applicable when using SEE on Windows or Linux. */ |
| 237 | #endif |
| 238 | int useLocalauth; /* No login required if from 127.0.0.1 */ |
| 239 | int noPswd; /* Logged in without password (on 127.0.0.1) */ |
| 240 | int userUid; /* Integer user id */ |
| 241 | int eAuthMethod; /* How the user authenticated to us */ |
| 242 | # define AUTH_NONE 0 /* Not authenticated */ |
| 243 | # define AUTH_COOKIE 1 /* Authentication by cookie */ |
| 244 | # define AUTH_LOCAL 2 /* Uses loopback */ |
| 245 | # define AUTH_PW 3 /* Authentication by password */ |
| 246 | # define AUTH_ENV 4 /* Authenticated by REMOTE_USER environment var */ |
| 247 | # define AUTH_HTTP 5 /* HTTP Basic Authentication */ |
| 248 | int isRobot; /* True if the client is definitely a robot. False |
| 249 | ** negatives are common for this flag */ |
| 250 | int comFmtFlags; /* Zero or more "COMMENT_PRINT_*" bit flags, should be |
| 251 | ** accessed through get_comment_format(). */ |
| 252 | const char *zSockName; /* Name of the unix-domain socket file */ |
| 253 |
+5
| --- src/style.c | ||
| +++ src/style.c | ||
| @@ -1442,10 +1442,15 @@ | ||
| 1442 | 1442 | @ g.zHttpsURL = %h(g.zHttpsURL)<br> |
| 1443 | 1443 | @ g.zTop = %h(g.zTop)<br> |
| 1444 | 1444 | @ g.zPath = %h(g.zPath)<br> |
| 1445 | 1445 | @ g.userUid = %d(g.userUid)<br> |
| 1446 | 1446 | @ g.zLogin = %h(g.zLogin)<br> |
| 1447 | + if( g.eAuthMethod!=AUTH_NONE ){ | |
| 1448 | + const char *zMethod[] = { "COOKIE", "LOCAL", "PW", "ENV", "HTTP" }; | |
| 1449 | + @ g.eAuthMethod = %d(g.eAuthMethod) (%h(zMethod[g.eAuthMethod-1]))\ | |
| 1450 | + @ <br> | |
| 1451 | + } | |
| 1447 | 1452 | @ g.isRobot = %d(g.isRobot)<br> |
| 1448 | 1453 | @ g.jsHref = %d(g.jsHref)<br> |
| 1449 | 1454 | if( g.zLocalRoot ){ |
| 1450 | 1455 | @ g.zLocalRoot = %h(g.zLocalRoot)<br> |
| 1451 | 1456 | }else{ |
| 1452 | 1457 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -1442,10 +1442,15 @@ | |
| 1442 | @ g.zHttpsURL = %h(g.zHttpsURL)<br> |
| 1443 | @ g.zTop = %h(g.zTop)<br> |
| 1444 | @ g.zPath = %h(g.zPath)<br> |
| 1445 | @ g.userUid = %d(g.userUid)<br> |
| 1446 | @ g.zLogin = %h(g.zLogin)<br> |
| 1447 | @ g.isRobot = %d(g.isRobot)<br> |
| 1448 | @ g.jsHref = %d(g.jsHref)<br> |
| 1449 | if( g.zLocalRoot ){ |
| 1450 | @ g.zLocalRoot = %h(g.zLocalRoot)<br> |
| 1451 | }else{ |
| 1452 |
| --- src/style.c | |
| +++ src/style.c | |
| @@ -1442,10 +1442,15 @@ | |
| 1442 | @ g.zHttpsURL = %h(g.zHttpsURL)<br> |
| 1443 | @ g.zTop = %h(g.zTop)<br> |
| 1444 | @ g.zPath = %h(g.zPath)<br> |
| 1445 | @ g.userUid = %d(g.userUid)<br> |
| 1446 | @ g.zLogin = %h(g.zLogin)<br> |
| 1447 | if( g.eAuthMethod!=AUTH_NONE ){ |
| 1448 | const char *zMethod[] = { "COOKIE", "LOCAL", "PW", "ENV", "HTTP" }; |
| 1449 | @ g.eAuthMethod = %d(g.eAuthMethod) (%h(zMethod[g.eAuthMethod-1]))\ |
| 1450 | @ <br> |
| 1451 | } |
| 1452 | @ g.isRobot = %d(g.isRobot)<br> |
| 1453 | @ g.jsHref = %d(g.jsHref)<br> |
| 1454 | if( g.zLocalRoot ){ |
| 1455 | @ g.zLocalRoot = %h(g.zLocalRoot)<br> |
| 1456 | }else{ |
| 1457 |