Fossil SCM
Stronger CSRF token based on a SHA1 hash of the login cookie.
Commit
ff3746c4c214a50e74328463604d9ae1c5aa82576d308a64c18c32f7fa130442
Parent
88a402fe2a56419…
4 files changed
-8
+22
-3
+1
-1
+13
-8
| --- src/builtin.c | ||
| +++ src/builtin.c | ||
| @@ -666,18 +666,10 @@ | ||
| 666 | 666 | CX("name: %!j,", (g.zLogin&&*g.zLogin) ? g.zLogin : "guest"); |
| 667 | 667 | CX("isAdmin: %s", (g.perm.Admin || g.perm.Setup) ? "true" : "false"); |
| 668 | 668 | CX("};\n"/*fossil.user*/); |
| 669 | 669 | CX("if(fossil.config.skin.isDark) " |
| 670 | 670 | "document.body.classList.add('fossil-dark-style');\n"); |
| 671 | -#if 0 | |
| 672 | - /* Is it safe to emit the CSRF token here? Some pages add it | |
| 673 | - ** as a hidden form field. */ | |
| 674 | - if(g.zCsrfToken[0]!=0){ | |
| 675 | - CX("window.fossil.csrfToken = %!j;\n", | |
| 676 | - g.zCsrfToken); | |
| 677 | - } | |
| 678 | -#endif | |
| 679 | 671 | /* |
| 680 | 672 | ** fossil.page holds info about the current page. This is also |
| 681 | 673 | ** where the current page "should" store any of its own |
| 682 | 674 | ** page-specific state, and it is reserved for that purpose. |
| 683 | 675 | */ |
| 684 | 676 |
| --- src/builtin.c | |
| +++ src/builtin.c | |
| @@ -666,18 +666,10 @@ | |
| 666 | CX("name: %!j,", (g.zLogin&&*g.zLogin) ? g.zLogin : "guest"); |
| 667 | CX("isAdmin: %s", (g.perm.Admin || g.perm.Setup) ? "true" : "false"); |
| 668 | CX("};\n"/*fossil.user*/); |
| 669 | CX("if(fossil.config.skin.isDark) " |
| 670 | "document.body.classList.add('fossil-dark-style');\n"); |
| 671 | #if 0 |
| 672 | /* Is it safe to emit the CSRF token here? Some pages add it |
| 673 | ** as a hidden form field. */ |
| 674 | if(g.zCsrfToken[0]!=0){ |
| 675 | CX("window.fossil.csrfToken = %!j;\n", |
| 676 | g.zCsrfToken); |
| 677 | } |
| 678 | #endif |
| 679 | /* |
| 680 | ** fossil.page holds info about the current page. This is also |
| 681 | ** where the current page "should" store any of its own |
| 682 | ** page-specific state, and it is reserved for that purpose. |
| 683 | */ |
| 684 |
| --- src/builtin.c | |
| +++ src/builtin.c | |
| @@ -666,18 +666,10 @@ | |
| 666 | CX("name: %!j,", (g.zLogin&&*g.zLogin) ? g.zLogin : "guest"); |
| 667 | CX("isAdmin: %s", (g.perm.Admin || g.perm.Setup) ? "true" : "false"); |
| 668 | CX("};\n"/*fossil.user*/); |
| 669 | CX("if(fossil.config.skin.isDark) " |
| 670 | "document.body.classList.add('fossil-dark-style');\n"); |
| 671 | /* |
| 672 | ** fossil.page holds info about the current page. This is also |
| 673 | ** where the current page "should" store any of its own |
| 674 | ** page-specific state, and it is reserved for that purpose. |
| 675 | */ |
| 676 |
+22
-3
| --- src/login.c | ||
| +++ src/login.c | ||
| @@ -49,10 +49,25 @@ | ||
| 49 | 49 | # define sleep Sleep /* windows does not have sleep, but Sleep */ |
| 50 | 50 | # endif |
| 51 | 51 | #endif |
| 52 | 52 | #include <time.h> |
| 53 | 53 | |
| 54 | +/* | |
| 55 | +** Compute an appropriate Anti-CSRF token into g.zCsrfToken[]. | |
| 56 | +*/ | |
| 57 | +static void login_create_csrf_secret(const char *zSeed){ | |
| 58 | + unsigned char zResult[20]; | |
| 59 | + int i; | |
| 60 | + | |
| 61 | + sha1sum_binary(zSeed, zResult); | |
| 62 | + for(i=0; i<sizeof(g.zCsrfToken)-1; i++){ | |
| 63 | + g.zCsrfToken[i] = "abcdefghijklmnopqrstuvwxyz" | |
| 64 | + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" | |
| 65 | + "0123456789-/"[zResult[i]%64]; | |
| 66 | + } | |
| 67 | + g.zCsrfToken[i] = 0; | |
| 68 | +} | |
| 54 | 69 | |
| 55 | 70 | /* |
| 56 | 71 | ** Return the login-group name. Or return 0 if this repository is |
| 57 | 72 | ** not a member of a login-group. |
| 58 | 73 | */ |
| @@ -1289,10 +1304,11 @@ | ||
| 1289 | 1304 | || (g.fSshClient & CGI_SSH_CLIENT)!=0 ) |
| 1290 | 1305 | && g.useLocalauth |
| 1291 | 1306 | && db_get_int("localauth",0)==0 |
| 1292 | 1307 | && P("HTTPS")==0 |
| 1293 | 1308 | ){ |
| 1309 | + char *zSeed; | |
| 1294 | 1310 | if( g.localOpen ) zLogin = db_lget("default-user",0); |
| 1295 | 1311 | if( zLogin!=0 ){ |
| 1296 | 1312 | uid = db_int(0, "SELECT uid FROM user WHERE login=%Q", zLogin); |
| 1297 | 1313 | }else{ |
| 1298 | 1314 | uid = db_int(0, "SELECT uid FROM user WHERE cap LIKE '%%s%%'"); |
| @@ -1299,11 +1315,14 @@ | ||
| 1299 | 1315 | } |
| 1300 | 1316 | g.zLogin = db_text("?", "SELECT login FROM user WHERE uid=%d", uid); |
| 1301 | 1317 | zCap = "sxy"; |
| 1302 | 1318 | g.noPswd = 1; |
| 1303 | 1319 | g.isHuman = 1; |
| 1304 | - sqlite3_snprintf(sizeof(g.zCsrfToken), g.zCsrfToken, "localhost"); | |
| 1320 | + zSeed = db_text("??", "SELECT uid||quote(login)||quote(pw)||quote(cookie)" | |
| 1321 | + " FROM user WHERE uid=%d", uid); | |
| 1322 | + login_create_csrf_secret(zSeed); | |
| 1323 | + fossil_free(zSeed); | |
| 1305 | 1324 | } |
| 1306 | 1325 | |
| 1307 | 1326 | /* Check the login cookie to see if it matches a known valid user. |
| 1308 | 1327 | */ |
| 1309 | 1328 | if( uid==0 && (zCookie = P(login_cookie_name()))!=0 ){ |
| @@ -1354,11 +1373,11 @@ | ||
| 1354 | 1373 | if( uid==0 && login_transfer_credentials(zUser,zArg,zHash) ){ |
| 1355 | 1374 | uid = login_find_user(zUser, zHash); |
| 1356 | 1375 | if( uid ) record_login_attempt(zUser, zIpAddr, 1); |
| 1357 | 1376 | } |
| 1358 | 1377 | } |
| 1359 | - sqlite3_snprintf(sizeof(g.zCsrfToken), g.zCsrfToken, "%.10s", zHash); | |
| 1378 | + login_create_csrf_secret(zHash); | |
| 1360 | 1379 | } |
| 1361 | 1380 | |
| 1362 | 1381 | /* If no user found and the REMOTE_USER environment variable is set, |
| 1363 | 1382 | ** then accept the value of REMOTE_USER as the user. |
| 1364 | 1383 | */ |
| @@ -1404,11 +1423,11 @@ | ||
| 1404 | 1423 | if( uid==0 ){ |
| 1405 | 1424 | /* If there is no user "nobody", then make one up - with no privileges */ |
| 1406 | 1425 | uid = -1; |
| 1407 | 1426 | zCap = ""; |
| 1408 | 1427 | } |
| 1409 | - sqlite3_snprintf(sizeof(g.zCsrfToken), g.zCsrfToken, "none"); | |
| 1428 | + login_create_csrf_secret("none"); | |
| 1410 | 1429 | } |
| 1411 | 1430 | |
| 1412 | 1431 | login_set_uid(uid, zCap); |
| 1413 | 1432 | } |
| 1414 | 1433 | |
| 1415 | 1434 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -49,10 +49,25 @@ | |
| 49 | # define sleep Sleep /* windows does not have sleep, but Sleep */ |
| 50 | # endif |
| 51 | #endif |
| 52 | #include <time.h> |
| 53 | |
| 54 | |
| 55 | /* |
| 56 | ** Return the login-group name. Or return 0 if this repository is |
| 57 | ** not a member of a login-group. |
| 58 | */ |
| @@ -1289,10 +1304,11 @@ | |
| 1289 | || (g.fSshClient & CGI_SSH_CLIENT)!=0 ) |
| 1290 | && g.useLocalauth |
| 1291 | && db_get_int("localauth",0)==0 |
| 1292 | && P("HTTPS")==0 |
| 1293 | ){ |
| 1294 | if( g.localOpen ) zLogin = db_lget("default-user",0); |
| 1295 | if( zLogin!=0 ){ |
| 1296 | uid = db_int(0, "SELECT uid FROM user WHERE login=%Q", zLogin); |
| 1297 | }else{ |
| 1298 | uid = db_int(0, "SELECT uid FROM user WHERE cap LIKE '%%s%%'"); |
| @@ -1299,11 +1315,14 @@ | |
| 1299 | } |
| 1300 | g.zLogin = db_text("?", "SELECT login FROM user WHERE uid=%d", uid); |
| 1301 | zCap = "sxy"; |
| 1302 | g.noPswd = 1; |
| 1303 | g.isHuman = 1; |
| 1304 | sqlite3_snprintf(sizeof(g.zCsrfToken), g.zCsrfToken, "localhost"); |
| 1305 | } |
| 1306 | |
| 1307 | /* Check the login cookie to see if it matches a known valid user. |
| 1308 | */ |
| 1309 | if( uid==0 && (zCookie = P(login_cookie_name()))!=0 ){ |
| @@ -1354,11 +1373,11 @@ | |
| 1354 | if( uid==0 && login_transfer_credentials(zUser,zArg,zHash) ){ |
| 1355 | uid = login_find_user(zUser, zHash); |
| 1356 | if( uid ) record_login_attempt(zUser, zIpAddr, 1); |
| 1357 | } |
| 1358 | } |
| 1359 | sqlite3_snprintf(sizeof(g.zCsrfToken), g.zCsrfToken, "%.10s", zHash); |
| 1360 | } |
| 1361 | |
| 1362 | /* If no user found and the REMOTE_USER environment variable is set, |
| 1363 | ** then accept the value of REMOTE_USER as the user. |
| 1364 | */ |
| @@ -1404,11 +1423,11 @@ | |
| 1404 | if( uid==0 ){ |
| 1405 | /* If there is no user "nobody", then make one up - with no privileges */ |
| 1406 | uid = -1; |
| 1407 | zCap = ""; |
| 1408 | } |
| 1409 | sqlite3_snprintf(sizeof(g.zCsrfToken), g.zCsrfToken, "none"); |
| 1410 | } |
| 1411 | |
| 1412 | login_set_uid(uid, zCap); |
| 1413 | } |
| 1414 | |
| 1415 |
| --- src/login.c | |
| +++ src/login.c | |
| @@ -49,10 +49,25 @@ | |
| 49 | # define sleep Sleep /* windows does not have sleep, but Sleep */ |
| 50 | # endif |
| 51 | #endif |
| 52 | #include <time.h> |
| 53 | |
| 54 | /* |
| 55 | ** Compute an appropriate Anti-CSRF token into g.zCsrfToken[]. |
| 56 | */ |
| 57 | static void login_create_csrf_secret(const char *zSeed){ |
| 58 | unsigned char zResult[20]; |
| 59 | int i; |
| 60 | |
| 61 | sha1sum_binary(zSeed, zResult); |
| 62 | for(i=0; i<sizeof(g.zCsrfToken)-1; i++){ |
| 63 | g.zCsrfToken[i] = "abcdefghijklmnopqrstuvwxyz" |
| 64 | "ABCDEFGHIJKLMNOPQRSTUVWXYZ" |
| 65 | "0123456789-/"[zResult[i]%64]; |
| 66 | } |
| 67 | g.zCsrfToken[i] = 0; |
| 68 | } |
| 69 | |
| 70 | /* |
| 71 | ** Return the login-group name. Or return 0 if this repository is |
| 72 | ** not a member of a login-group. |
| 73 | */ |
| @@ -1289,10 +1304,11 @@ | |
| 1304 | || (g.fSshClient & CGI_SSH_CLIENT)!=0 ) |
| 1305 | && g.useLocalauth |
| 1306 | && db_get_int("localauth",0)==0 |
| 1307 | && P("HTTPS")==0 |
| 1308 | ){ |
| 1309 | char *zSeed; |
| 1310 | if( g.localOpen ) zLogin = db_lget("default-user",0); |
| 1311 | if( zLogin!=0 ){ |
| 1312 | uid = db_int(0, "SELECT uid FROM user WHERE login=%Q", zLogin); |
| 1313 | }else{ |
| 1314 | uid = db_int(0, "SELECT uid FROM user WHERE cap LIKE '%%s%%'"); |
| @@ -1299,11 +1315,14 @@ | |
| 1315 | } |
| 1316 | g.zLogin = db_text("?", "SELECT login FROM user WHERE uid=%d", uid); |
| 1317 | zCap = "sxy"; |
| 1318 | g.noPswd = 1; |
| 1319 | g.isHuman = 1; |
| 1320 | zSeed = db_text("??", "SELECT uid||quote(login)||quote(pw)||quote(cookie)" |
| 1321 | " FROM user WHERE uid=%d", uid); |
| 1322 | login_create_csrf_secret(zSeed); |
| 1323 | fossil_free(zSeed); |
| 1324 | } |
| 1325 | |
| 1326 | /* Check the login cookie to see if it matches a known valid user. |
| 1327 | */ |
| 1328 | if( uid==0 && (zCookie = P(login_cookie_name()))!=0 ){ |
| @@ -1354,11 +1373,11 @@ | |
| 1373 | if( uid==0 && login_transfer_credentials(zUser,zArg,zHash) ){ |
| 1374 | uid = login_find_user(zUser, zHash); |
| 1375 | if( uid ) record_login_attempt(zUser, zIpAddr, 1); |
| 1376 | } |
| 1377 | } |
| 1378 | login_create_csrf_secret(zHash); |
| 1379 | } |
| 1380 | |
| 1381 | /* If no user found and the REMOTE_USER environment variable is set, |
| 1382 | ** then accept the value of REMOTE_USER as the user. |
| 1383 | */ |
| @@ -1404,11 +1423,11 @@ | |
| 1423 | if( uid==0 ){ |
| 1424 | /* If there is no user "nobody", then make one up - with no privileges */ |
| 1425 | uid = -1; |
| 1426 | zCap = ""; |
| 1427 | } |
| 1428 | login_create_csrf_secret("none"); |
| 1429 | } |
| 1430 | |
| 1431 | login_set_uid(uid, zCap); |
| 1432 | } |
| 1433 | |
| 1434 |
+1
-1
| --- src/main.c | ||
| +++ src/main.c | ||
| @@ -256,11 +256,11 @@ | ||
| 256 | 256 | /* all Tcl related context necessary for integration */ |
| 257 | 257 | struct TclContext tcl; |
| 258 | 258 | #endif |
| 259 | 259 | |
| 260 | 260 | /* For defense against Cross-site Request Forgery attacks */ |
| 261 | - char zCsrfToken[12]; /* Value of the anti-CSRF token */ | |
| 261 | + char zCsrfToken[16]; /* Value of the anti-CSRF token */ | |
| 262 | 262 | int okCsrf; /* -1: unsafe |
| 263 | 263 | ** 0: unknown |
| 264 | 264 | ** 1: same origin |
| 265 | 265 | ** 2: same origin + is POST |
| 266 | 266 | ** 3: same origin, POST, valid csrf token */ |
| 267 | 267 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -256,11 +256,11 @@ | |
| 256 | /* all Tcl related context necessary for integration */ |
| 257 | struct TclContext tcl; |
| 258 | #endif |
| 259 | |
| 260 | /* For defense against Cross-site Request Forgery attacks */ |
| 261 | char zCsrfToken[12]; /* Value of the anti-CSRF token */ |
| 262 | int okCsrf; /* -1: unsafe |
| 263 | ** 0: unknown |
| 264 | ** 1: same origin |
| 265 | ** 2: same origin + is POST |
| 266 | ** 3: same origin, POST, valid csrf token */ |
| 267 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -256,11 +256,11 @@ | |
| 256 | /* all Tcl related context necessary for integration */ |
| 257 | struct TclContext tcl; |
| 258 | #endif |
| 259 | |
| 260 | /* For defense against Cross-site Request Forgery attacks */ |
| 261 | char zCsrfToken[16]; /* Value of the anti-CSRF token */ |
| 262 | int okCsrf; /* -1: unsafe |
| 263 | ** 0: unknown |
| 264 | ** 1: same origin |
| 265 | ** 2: same origin + is POST |
| 266 | ** 3: same origin, POST, valid csrf token */ |
| 267 |
+13
| --- src/sha1.c | ||
| +++ src/sha1.c | ||
| @@ -392,10 +392,23 @@ | ||
| 392 | 392 | blob_resize(pCksum, 40); |
| 393 | 393 | SHA1Final(zResult, &ctx); |
| 394 | 394 | DigestToBase16(zResult, blob_buffer(pCksum)); |
| 395 | 395 | return 0; |
| 396 | 396 | } |
| 397 | + | |
| 398 | +/* | |
| 399 | +** Compute a binary SHA1 checksum of a zero-terminated string. The | |
| 400 | +** result is stored in zOut, which is a buffer that must be at least | |
| 401 | +** 20 bytes in size. | |
| 402 | +*/ | |
| 403 | +void sha1sum_binary(const char *zIn, unsigned char *zOut){ | |
| 404 | + SHA1Context ctx; | |
| 405 | + | |
| 406 | + SHA1Init(&ctx); | |
| 407 | + SHA1Update(&ctx, (unsigned const char*)zIn, strlen(zIn)); | |
| 408 | + SHA1Final(zOut, &ctx); | |
| 409 | +} | |
| 397 | 410 | |
| 398 | 411 | /* |
| 399 | 412 | ** Compute the SHA1 checksum of a zero-terminated string. The |
| 400 | 413 | ** result is held in memory obtained from mprintf(). |
| 401 | 414 | */ |
| 402 | 415 |
| --- src/sha1.c | |
| +++ src/sha1.c | |
| @@ -392,10 +392,23 @@ | |
| 392 | blob_resize(pCksum, 40); |
| 393 | SHA1Final(zResult, &ctx); |
| 394 | DigestToBase16(zResult, blob_buffer(pCksum)); |
| 395 | return 0; |
| 396 | } |
| 397 | |
| 398 | /* |
| 399 | ** Compute the SHA1 checksum of a zero-terminated string. The |
| 400 | ** result is held in memory obtained from mprintf(). |
| 401 | */ |
| 402 |
| --- src/sha1.c | |
| +++ src/sha1.c | |
| @@ -392,10 +392,23 @@ | |
| 392 | blob_resize(pCksum, 40); |
| 393 | SHA1Final(zResult, &ctx); |
| 394 | DigestToBase16(zResult, blob_buffer(pCksum)); |
| 395 | return 0; |
| 396 | } |
| 397 | |
| 398 | /* |
| 399 | ** Compute a binary SHA1 checksum of a zero-terminated string. The |
| 400 | ** result is stored in zOut, which is a buffer that must be at least |
| 401 | ** 20 bytes in size. |
| 402 | */ |
| 403 | void sha1sum_binary(const char *zIn, unsigned char *zOut){ |
| 404 | SHA1Context ctx; |
| 405 | |
| 406 | SHA1Init(&ctx); |
| 407 | SHA1Update(&ctx, (unsigned const char*)zIn, strlen(zIn)); |
| 408 | SHA1Final(zOut, &ctx); |
| 409 | } |
| 410 | |
| 411 | /* |
| 412 | ** Compute the SHA1 checksum of a zero-terminated string. The |
| 413 | ** result is held in memory obtained from mprintf(). |
| 414 | */ |
| 415 |