Commit Graph

46 Commits (056349a7f0cf3dd470cdd9633b7fe955fb03268f)

Author SHA1 Message Date
Simon McVittie d157a97452 CGI, attachment, passwordauth: harden against repeated parameters
These instances of code similar to OVE-20170111-0001 are not believed
to be exploitable, because defined(), length(), setpassword(),
userinfo_set() and the binary "." operator all have prototypes that
force the relevant argument to be evaluated in scalar context. However,
using a safer idiom makes mistakes less likely.

(cherry picked from commit 69230a2220f673c66b5ab875bfc759b32a241c0d)
2017-01-11 18:11:07 +00:00
Simon McVittie b642cbef80 passwordauth: avoid userinfo forgery via repeated email parameter
OVE-20170111-0001

(cherry picked from commit bffb71d6a7d28f6dd5f0be241f214e79eea7bb91)
2017-01-11 18:11:07 +00:00
Simon McVittie f357856448 passwordauth: prevent authentication bypass via multiple name parameters
Calling CGI::FormBuilder::field with a name argument in list context
returns zero or more user-specified values of the named field, even
if that field was not declared as supporting multiple values.
Passing the result of field as a function parameter counts as list
context. This is the same bad behaviour that is now discouraged
for CGI::param.

In this case we pass the multiple values to CGI::Session::param.
That accessor has six possible calling conventions, of which four are
documented. If an attacker passes (2*n + 1) values for the 'name'
field, for example name=a&name=b&name=c, we end up in one of the
undocumented calling conventions for param:

    # equivalent to: (name => 'a', b => 'c')
    $session->param('name', 'a', 'b', 'c')

and the 'b' session parameter is unexpectedly set to an
attacker-specified value.

In particular, if an attacker "bob" specifies
name=bob&name=name&name=alice, then authentication is carried out
for "bob" but the CGI::Session ends up containing {name => 'alice'},
an authentication bypass vulnerability.

This vulnerability is tracked as OVE-20170111-0001.

(cherry picked from commit e909eb93f4530a175d622360a8433e833ecf0254)
2017-01-11 18:11:06 +00:00
Simon McVittie 9e7f0a6c59 Use rel=nofollow microformat for dynamic (CGI-related) URLs
Some of these might be relatively expensive to dereference or result
in messages being logged, and there's no reason why a search engine
should need to index them. (In particular, we'd probably prefer search
engines to index the rendered page, not its source code.)
2017-01-09 13:07:24 +00:00
Simon McVittie c1120bbbe8 Force CGI::FormBuilder->field to scalar context where necessary
CGI::FormBuilder->field has behaviour similar to the CGI.pm misfeature
we avoided in f4ec7b0. Force it into scalar context where it is used
in an argument list.

This prevents two (relatively minor) commit metadata forgery
vulnerabilities:

* In the comments plugin, an attacker who was able to post a comment
  could give it a user-specified author and author-URL even if the wiki
  configuration did not allow for that, by crafting multiple values
  to other fields.
* In the editpage plugin, an attacker who was able to edit a page
  could potentially forge commit authorship by crafting multiple values
  for the rcsinfo field.

The remaining plugins changed in this commit appear to have been
protected by use of explicit scalar prototypes for the called functions,
but have been changed anyway to make them more obviously correct.
In particular, checkpassword() in passwordauth has a known prototype,
so an attacker cannot trick it into treating multiple values of the
name field as being the username, password and field to check for.

OVE-20161226-0001
2016-12-28 21:32:12 +00:00
Joey Hess 85a529db3d passwordauth: Don't allow registering accounts that look like openids.
Also prohibit @ in account names, in case the file regexp was relaxed to
allow it.
2015-05-14 10:57:56 -04:00
Joey Hess 497513e737 avoid showing password prefs for emailauth user 2015-05-13 23:24:07 -04:00
Joey Hess c885ec66e0 allow users to subscribe to comments w/o registering
Technically, when the user does this, a passwordless account is created
for them. The notify mails include a login url, and once logged in that
way, the user can enter a password to get a regular account (although
one with an annoying username).

This all requires the passwordauth plugin is enabled. A future enhancement
could be to split the passwordless user concept out into a separate plugin.
2012-04-02 13:45:39 -04:00
Joey Hess c16b1e638e support do=tokenauth login for passwordless accounts 2012-04-02 12:29:13 -04:00
Joey Hess f9e96b0c32 passwordauth: Fix url in password recovery email to be absolute.
This got broken when cgiurl began often returning a relative url.
Added a cgiurl_abs for the things that need a guaranteed absolute cgiurl.
2012-04-02 12:24:14 -04:00
Joey Hess 1d1ef20034 add support for a passwordless login token
The plan is to use this for accounts that are created implicitly, as when
a non-logged-in user subscribes to notifyemail. Such an account has no
password, and login can be accomplished by way of a url that is sent to
them in email.

When the user sets a password, the passwordless login token is disabled.
2012-04-02 12:17:07 -04:00
Joey Hess c0e5a0f1aa fix another undef/"" confusion 2012-03-28 16:47:37 -04:00
Joey Hess 4292802ee5 stop using REMOTE_ADDR
Everywhere that REMOTE_ADDR was used, a session object is available, so
instead use its remote_addr method.

In IkiWiki::Receive, stop setting a dummy REMOTE_ADDR.

Note that it's possible for a session cookie to be obtained using one IP
address, and then used from another IP. In this case, the first IP will now
be used. I think that should be ok.
2010-06-23 16:35:51 -04:00
Joey Hess 93cf1db7b9 fix uninitialized value warning
$cgi->params('do') may not be defined. The CSRF code may delete all
cgi params. This uninitalized value was introduced when do=register
support was added recently.
2010-04-20 17:21:50 -04:00
Joey Hess a63929f6cc Group related plugins into sections in the setup file, and drop unused rcs plugins from the setup file. 2010-02-11 22:24:15 -05:00
Joey Hess 8380a9d000 factor out a userpage function
Not yet exported, as only 4 quite core plugins use it.
2010-02-04 18:24:15 -05:00
Joey Hess a2e78ebcf2 Add link to userpage (or creation link) to top of preferences page. 2010-02-04 15:30:41 -05:00
Joey Hess 68f7be91e5 typo 2010-02-04 15:10:55 -05:00
Joey Hess b547170a96 Improve display of openid in preferences page.
Now that openiduser is in IkiWiki core, it's ok to have passwordauth check
for it, and avoid displaying useless password fields when showing
preferences for an openid.

Also improved the styling of the display of the openid in the preferneces
page.
2010-02-04 15:07:10 -05:00
Joey Hess 345b40c652 Allow jumping directly into account registration process by going to ikiwiki.cgi?do=register 2010-02-04 14:51:56 -05:00
Joey Hess 48a5f9f2d8 Disable the Preferences link if no plugin with an auth hook is enabled. 2009-06-09 15:39:00 -04:00
Joey Hess 678d467a40 finalise version 3.00 of the plugin api 2008-12-23 16:34:19 -05:00
Joey Hess bb93fccf06 Coding style change: Remove explcit vim folding markers. 2008-12-17 15:22:16 -05:00
Joey Hess 39195de96e add plugin safe/rebuild info (part 2 of 3)
(brain.. melting..)
2008-08-03 17:20:21 -04:00
Joey Hess 42ac4ec009 remove default values in getsetup
They were a bit confusing, since they did not actually set the default, and
example values are sufficient.
2008-07-26 21:07:15 -04:00
Joey Hess cd029da493 typo 2008-07-26 14:56:10 -04:00
Joey Hess 26db34e1d6 adminemail may be undefined 2008-07-26 14:54:50 -04:00
Joey Hess c2507d33cb allow account_creation_password to not be defined 2008-07-26 14:02:36 -04:00
Joey Hess 1f8b0460c3 added getsetup hooks for all plugins up to recentchanges 2008-07-25 18:05:55 -04:00
Joey Hess e943812dc9 hashed password support, and empty password security fix
This implements the previously documented hashed password support.

While implementing that, I noticed a security hole, which this commit
also fixes..
2008-05-30 17:35:34 -04:00
Joey Hess 4745391360 * Change formbuilder hook to not be responsible for displaying a form,
so that more than one plugin can use this hook.
  I believe this is a safe change, since only passwordauth uses this hook.
  (If some other plugin already used it, it would have broken passwordauth!)
2007-12-12 03:15:30 -05:00
joey 739325834b * Fix some bugs in password handling:
- If the password is empty in preferences, don't clear the existing
    password.
  - Actually check the confirm password field, even if it's left empty.
2007-05-17 08:06:05 +00:00
joshtriplett b8d7ae91d0 * Add an account-creation password as a simple anti-spam mechanism. If
set in the wiki setup, passwordauth will require the password in
  order to create an account.
2007-05-09 02:05:32 +00:00
joey 9026ae05c2 * Fix a bug that prevented clearing email or subscriptions. 2007-04-30 21:32:24 +00:00
joey f46c35f46f correct size of name field in initial login form (same size as password) 2007-04-30 21:10:14 +00:00
joshtriplett fafaa119cf Revert passwordauth fieldset and doc to avoid 2.0 regressions; need to re-evaluate after 2.0. 2007-04-30 04:08:06 +00:00
joshtriplett 40365e1aee * Group passwordauth fields with a fieldset as well. Add a new
passwordauth page to the basewiki describing password
  authentication; like openid, it uses conditional to check which
  forms of authentication the wiki allows.  Add conditional cross-
  links between the openid and passwordauth pages, to help the user
  understand how they can log in.
2007-04-30 02:26:50 +00:00
joey 64f798786e I don't think this comment adds much 2007-04-29 22:18:02 +00:00
joey 93c6d2c340 * Use fieldsets in the preferences form to group related options together.
Especially cleans up the ordering of the admin's preferences form.
2007-04-29 21:57:25 +00:00
joey ee1ad53c4c * pagespec_match() has changed to take named parameters, to better allow
for extended pagespecs. The old calling convention will still work for
  back-compat for now.
* The calling convention for functions in the IkiWiki::PageSpec namespace
  has changed so they are passed named parameters.
* Plugin interface version increased to 2.00 since I don't anticipate any
  more interface changes before 2.0.
2007-04-27 02:55:52 +00:00
joey d4c61b7281 * Many changes to make ikiwiki very resistant to write failures
including out of disk space situations. ikiwiki should never leave
  truncated files, and if the error occurs during a web-based file edit,
  the user will be given an opportunity to retry.
  Inspired by the many ways Moin Moin destroys itself when out of disk. :-)
* Fix syslogging of errors.
2007-02-15 02:22:08 +00:00
joey 762ecf9461 missing IkiWiki:: 2007-02-03 02:07:03 +00:00
joey 5f162cfd34 * Add canedit hook, allowing arbitrary controls over when a page can be
edited.
* Move code forcing signing before edit to a new "signinedit" plugin, and
  code checking for locked pages into a new "lockedit" plugin. Both are 
  enabled by default.
* Remove the anonok config setting. This is now implemented by a new
  "anonok" plugin. Anyone with a wiki allowing anonymous edits should
  change their configs to enable this new plugin.
* Add an opendiscussion plugin that allows anonymous users to edit
  discussion pages, on a wiki that is otherwise wouldn't allow it.
* Lots of CGI code reorg and cleanup.
2007-02-02 02:33:03 +00:00
joey 912521ef07 * Initial work on internationalization of the program code. po/ikiwiki.pot
is available for translation.
* Export gettext() from IkiWiki module.
2006-12-29 04:38:40 +00:00
joey 4a40b5f9d5 bugfixen 2006-11-22 04:26:44 +00:00
joey c24be1b752 add 2006-11-20 20:55:37 +00:00