From 417c9084b4c5a3637ffc2a29d4f3db929285fead Mon Sep 17 00:00:00 2001 From: Matthias Meusburger Date: Fri, 5 Feb 2010 12:00:15 +0100 Subject: [PATCH] Bug 5995 : MT2892: Fix security issue in CAS intranet login Users could log in intranet using their cardnumber, with superlibrarian rights. Signed-off-by: Ian Walls Signed-off-by: Chris Cormack --- C4/Auth.pm | 37 +++++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index a31161ef8e..b41644995d 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -736,7 +736,9 @@ sub checkauth { $userid = $retuserid; $info{'invalidCasLogin'} = 1 unless ($return); } else { - ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password, $query ); + my $retuserid; + ( $return, $retuserid ) = checkpw( $dbh, $userid, $password, $query ); + $userid = $retuserid if ($retuserid ne ''); } if ($return) { _session_log(sprintf "%20s from %16s logged in at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime)); @@ -762,20 +764,21 @@ sub checkauth { "; my $sth = $dbh->prepare("$select where userid=?"); $sth->execute($userid); - unless ($sth->rows) { - $debug and print STDERR "AUTH_1: no rows for userid='$userid'\n"; - $sth = $dbh->prepare("$select where cardnumber=?"); - $sth->execute($cardnumber); - unless ($sth->rows) { - $debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n"; - $sth->execute($userid); - unless ($sth->rows) { - $debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n"; - } - } - } + unless ($sth->rows) { + $debug and print STDERR "AUTH_1: no rows for userid='$userid'\n"; + $sth = $dbh->prepare("$select where cardnumber=?"); + $sth->execute($cardnumber); + + unless ($sth->rows) { + $debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n"; + $sth->execute($userid); + unless ($sth->rows) { + $debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n"; + } + } + } if ($sth->rows) { - ($borrowernumber, $firstname, $surname, $userflags, + ($borrowernumber, $firstname, $surname, $userflags, $branchcode, $branchname, $branchprinter, $emailaddress) = $sth->fetchrow; $debug and print STDERR "AUTH_3 results: " . "$cardnumber,$borrowernumber,$userid,$firstname,$surname,$userflags,$branchcode,$emailaddress\n"; @@ -1413,7 +1416,7 @@ sub checkpw { C4::Context->set_userenv( "$borrowernumber", $userid, $cardnumber, $firstname, $surname, $branchcode, $flags ); - return 1, $cardnumber; + return 1, $userid; } } $sth = @@ -1577,7 +1580,7 @@ sub haspermission { my ($userid, $flagsrequired) = @_; my $sth = C4::Context->dbh->prepare("SELECT flags FROM borrowers WHERE userid=?"); $sth->execute($userid); - my $flags = getuserflags( $sth->fetchrow(), $userid ); + my $flags = getuserflags($sth->fetchrow(), $userid); if ( $userid eq C4::Context->config('user') ) { # Super User Account from /etc/koha.conf $flags->{'superlibrarian'} = 1; @@ -1586,7 +1589,9 @@ sub haspermission { # Demo user that can do "anything" (demo=1 in /etc/koha.conf) $flags->{'superlibrarian'} = 1; } + return $flags if $flags->{superlibrarian}; + foreach my $module ( keys %$flagsrequired ) { my $subperm = $flagsrequired->{$module}; if ($subperm eq '*') { -- 2.39.5