Bug 5995 : MT2892: Fix security issue in CAS intranet login
Users could log in intranet using their cardnumber, with superlibrarian rights. Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
This commit is contained in:
Matthias Meusburger
Chris Cormack
parent
10ea4544ea
commit
417c9084b4
1 changed files with 21 additions and 16 deletions
37
C4/Auth.pm
37
C4/Auth.pm
|
|
@ -736,7 +736,9 @@ sub checkauth {
|
|||
$userid = $retuserid;
|
||||
$info{'invalidCasLogin'} = 1 unless ($return);
|
||||
} else {
|
||||
( $return, $cardnumber ) = checkpw( $dbh, $userid, $password, $query );
|
||||
my $retuserid;
|
||||
( $return, $retuserid ) = checkpw( $dbh, $userid, $password, $query );
|
||||
$userid = $retuserid if ($retuserid ne '');
|
||||
}
|
||||
if ($return) {
|
||||
_session_log(sprintf "%20s from %16s logged in at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime));
|
||||
|
|
@ -762,20 +764,21 @@ sub checkauth {
|
|||
";
|
||||
my $sth = $dbh->prepare("$select where userid=?");
|
||||
$sth->execute($userid);
|
||||
unless ($sth->rows) {
|
||||
$debug and print STDERR "AUTH_1: no rows for userid='$userid'\n";
|
||||
$sth = $dbh->prepare("$select where cardnumber=?");
|
||||
$sth->execute($cardnumber);
|
||||
unless ($sth->rows) {
|
||||
$debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n";
|
||||
$sth->execute($userid);
|
||||
unless ($sth->rows) {
|
||||
$debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
unless ($sth->rows) {
|
||||
$debug and print STDERR "AUTH_1: no rows for userid='$userid'\n";
|
||||
$sth = $dbh->prepare("$select where cardnumber=?");
|
||||
$sth->execute($cardnumber);
|
||||
|
||||
unless ($sth->rows) {
|
||||
$debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n";
|
||||
$sth->execute($userid);
|
||||
unless ($sth->rows) {
|
||||
$debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
if ($sth->rows) {
|
||||
($borrowernumber, $firstname, $surname, $userflags,
|
||||
($borrowernumber, $firstname, $surname, $userflags,
|
||||
$branchcode, $branchname, $branchprinter, $emailaddress) = $sth->fetchrow;
|
||||
$debug and print STDERR "AUTH_3 results: " .
|
||||
"$cardnumber,$borrowernumber,$userid,$firstname,$surname,$userflags,$branchcode,$emailaddress\n";
|
||||
|
|
@ -1413,7 +1416,7 @@ sub checkpw {
|
|||
|
||||
C4::Context->set_userenv( "$borrowernumber", $userid, $cardnumber,
|
||||
$firstname, $surname, $branchcode, $flags );
|
||||
return 1, $cardnumber;
|
||||
return 1, $userid;
|
||||
}
|
||||
}
|
||||
$sth =
|
||||
|
|
@ -1577,7 +1580,7 @@ sub haspermission {
|
|||
my ($userid, $flagsrequired) = @_;
|
||||
my $sth = C4::Context->dbh->prepare("SELECT flags FROM borrowers WHERE userid=?");
|
||||
$sth->execute($userid);
|
||||
my $flags = getuserflags( $sth->fetchrow(), $userid );
|
||||
my $flags = getuserflags($sth->fetchrow(), $userid);
|
||||
if ( $userid eq C4::Context->config('user') ) {
|
||||
# Super User Account from /etc/koha.conf
|
||||
$flags->{'superlibrarian'} = 1;
|
||||
|
|
@ -1586,7 +1589,9 @@ sub haspermission {
|
|||
# Demo user that can do "anything" (demo=1 in /etc/koha.conf)
|
||||
$flags->{'superlibrarian'} = 1;
|
||||
}
|
||||
|
||||
return $flags if $flags->{superlibrarian};
|
||||
|
||||
foreach my $module ( keys %$flagsrequired ) {
|
||||
my $subperm = $flagsrequired->{$module};
|
||||
if ($subperm eq '*') {
|
||||
|
|
|
|||
Loading…
Reference in a new issue