[Koha-patches] [PATCH 07/55] MT2892: Fix security issue in intranet login
Henri-Damien LAURENT
henridamien.laurent at biblibre.com
Wed Mar 10 22:25:49 CET 2010
From: Matthias Meusburger <matthias.meusburger at biblibre.com>
Users could log in intranet using their cardnumber, with superlibrarian
rights.
---
C4/Auth.pm | 37 +++++++++++++++++++++----------------
1 files changed, 21 insertions(+), 16 deletions(-)
diff --git a/C4/Auth.pm b/C4/Auth.pm
index fe79fe5..b6ed2cc 100755
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -715,7 +715,9 @@ sub checkauth {
$userid = $retuserid;
$info{'invalidCasLogin'} = 1 unless ($return);
} else {
- ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password, $query );
+ my $retuserid;
+ ( $return, $retuserid ) = checkpw( $dbh, $userid, $password, $query );
+ $userid = $retuserid if ($retuserid ne '');
}
if ($return) {
_session_log(sprintf "%20s from %16s logged in at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},localtime);
@@ -741,20 +743,21 @@ sub checkauth {
";
my $sth = $dbh->prepare("$select where userid=?");
$sth->execute($userid);
- unless ($sth->rows) {
- $debug and print STDERR "AUTH_1: no rows for userid='$userid'\n";
- $sth = $dbh->prepare("$select where cardnumber=?");
- $sth->execute($cardnumber);
- unless ($sth->rows) {
- $debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n";
- $sth->execute($userid);
- unless ($sth->rows) {
- $debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n";
- }
- }
- }
+ unless ($sth->rows) {
+ $debug and print STDERR "AUTH_1: no rows for userid='$userid'\n";
+ $sth = $dbh->prepare("$select where cardnumber=?");
+ $sth->execute($cardnumber);
+
+ unless ($sth->rows) {
+ $debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n";
+ $sth->execute($userid);
+ unless ($sth->rows) {
+ $debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n";
+ }
+ }
+ }
if ($sth->rows) {
- ($borrowernumber, $firstname, $surname, $userflags,
+ ($borrowernumber, $firstname, $surname, $userflags,
$branchcode, $branchname, $branchprinter, $emailaddress) = $sth->fetchrow;
$debug and print STDERR "AUTH_3 results: " .
"$cardnumber,$borrowernumber,$userid,$firstname,$surname,$userflags,$branchcode,$emailaddress\n";
@@ -1378,7 +1381,7 @@ sub checkpw {
C4::Context->set_userenv( "$borrowernumber", $userid, $cardnumber,
$firstname, $surname, $branchcode, $flags );
- return 1, $cardnumber;
+ return 1, $userid;
}
}
$sth =
@@ -1550,7 +1553,7 @@ sub haspermission {
my ($userid, $flagsrequired) = @_;
my $sth = C4::Context->dbh->prepare("SELECT flags FROM borrowers WHERE userid=?");
$sth->execute($userid);
- my $flags = getuserflags( $sth->fetchrow(), $userid );
+ my $flags = getuserflags($sth->fetchrow(), $userid);
if ( $userid eq C4::Context->config('user') ) {
# Super User Account from /etc/koha.conf
$flags->{'superlibrarian'} = 1;
@@ -1559,7 +1562,9 @@ sub haspermission {
# Demo user that can do "anything" (demo=1 in /etc/koha.conf)
$flags->{'superlibrarian'} = 1;
}
+
return $flags if $flags->{superlibrarian};
+
foreach my $module ( keys %$flagsrequired ) {
if (C4::Context->preference('GranularPermissions')) {
my $subperm = $flagsrequired->{$module};
--
1.6.3.3
More information about the Koha-patches
mailing list