Merge pull request #85 from stojg/release/security-spoofing-attack

MINOR Redirect user to homepage if the BackURL have been set to another site
This commit is contained in:
Sam Minnée 2011-10-28 21:32:57 -07:00
commit 95b6490ffa
2 changed files with 77 additions and 42 deletions

View File

@ -30,7 +30,12 @@ class MemberAuthenticator extends Authenticator {
* @see Security::setDefaultAdmin() * @see Security::setDefaultAdmin()
*/ */
public static function authenticate($RAW_data, Form $form = null) { public static function authenticate($RAW_data, Form $form = null) {
if(array_key_exists('Email', $RAW_data) && $RAW_data['Email']){
$SQL_user = Convert::raw2sql($RAW_data['Email']); $SQL_user = Convert::raw2sql($RAW_data['Email']);
} else {
return false;
}
$isLockedOut = false; $isLockedOut = false;
$result = null; $result = null;

View File

@ -123,48 +123,12 @@ JS
*/ */
public function dologin($data) { public function dologin($data) {
if($this->performLogin($data)) { if($this->performLogin($data)) {
Session::clear('SessionForms.MemberLoginForm.Email'); $this->logInUserAndRedirect($data);
Session::clear('SessionForms.MemberLoginForm.Remember');
if(Member::currentUser()->isPasswordExpired()) {
if(isset($_REQUEST['BackURL']) && $backURL = $_REQUEST['BackURL']) {
Session::set('BackURL', $backURL);
}
$cp = new ChangePasswordForm($this->controller, 'ChangePasswordForm');
$cp->sessionMessage('Your password has expired. Please choose a new one.', 'good');
Director::redirect('Security/changepassword');
} elseif(
isset($_REQUEST['BackURL'])
&& $_REQUEST['BackURL']
// absolute redirection URLs may cause spoofing
&& Director::is_site_url($_REQUEST['BackURL'])
) {
Director::redirect($_REQUEST['BackURL']);
} elseif (Security::default_login_dest()) {
Director::redirect(Director::absoluteBaseURL() . Security::default_login_dest());
} else {
$member = Member::currentUser();
if($member) {
$firstname = Convert::raw2xml($member->FirstName);
if(!empty($data['Remember'])) {
Session::set('SessionForms.MemberLoginForm.Remember', '1');
$member->logIn(true);
} else {
$member->logIn();
}
Session::set('Security.Message.message',
sprintf(_t('Member.WELCOMEBACK', "Welcome Back, %s"), $firstname)
);
Session::set("Security.Message.type", "good");
}
Director::redirectBack();
}
} else { } else {
if(array_key_exists('Email', $data)){
Session::set('SessionForms.MemberLoginForm.Email', $data['Email']); Session::set('SessionForms.MemberLoginForm.Email', $data['Email']);
Session::set('SessionForms.MemberLoginForm.Remember', isset($data['Remember'])); Session::set('SessionForms.MemberLoginForm.Remember', isset($data['Remember']));
}
if(isset($_REQUEST['BackURL'])) $backURL = $_REQUEST['BackURL']; if(isset($_REQUEST['BackURL'])) $backURL = $_REQUEST['BackURL'];
else $backURL = null; else $backURL = null;
@ -182,6 +146,72 @@ JS
} }
} }
/**
* Login in the user and figure out where to redirect the browser.
*
* The $data has this format
* array(
* 'AuthenticationMethod' => 'MemberAuthenticator',
* 'Email' => 'sam@silverstripe.com',
* 'Password' => '1nitialPassword',
* 'BackURL' => 'test/link',
* [Optional: 'Remember' => 1 ]
* )
*
* @param array $data
* @return void
*/
protected function logInUserAndRedirect($data) {
Session::clear('SessionForms.MemberLoginForm.Email');
Session::clear('SessionForms.MemberLoginForm.Remember');
if(Member::currentUser()->isPasswordExpired()) {
if(isset($_REQUEST['BackURL']) && $backURL = $_REQUEST['BackURL']) {
Session::set('BackURL', $backURL);
}
$cp = new ChangePasswordForm($this->controller, 'ChangePasswordForm');
$cp->sessionMessage('Your password has expired. Please choose a new one.', 'good');
Director::redirect('Security/changepassword');
return;
}
// Absolute redirection URLs may cause spoofing
if(isset($_REQUEST['BackURL']) && $_REQUEST['BackURL'] && Director::is_site_url($_REQUEST['BackURL']) ) {
Director::redirect($_REQUEST['BackURL']);
return;
}
// Spoofing attack, redirect to homepage instead of spoofing url
if(isset($_REQUEST['BackURL']) && $_REQUEST['BackURL'] && !Director::is_site_url($_REQUEST['BackURL'])) {
Director::redirect(Director::absoluteBaseURL());
return;
}
// If a default login dest has been set, redirect to that.
if (Security::default_login_dest()) {
Director::redirect(Director::absoluteBaseURL() . Security::default_login_dest());
return;
}
// Redirect the user to the page where he came from
$member = Member::currentUser();
if($member) {
$firstname = Convert::raw2xml($member->FirstName);
if(!empty($data['Remember'])) {
Session::set('SessionForms.MemberLoginForm.Remember', '1');
$member->logIn(true);
} else {
$member->logIn();
}
Session::set('Security.Message.message',
sprintf(_t('Member.WELCOMEBACK', "Welcome Back, %s"), $firstname)
);
Session::set("Security.Message.type", "good");
}
Controller::curr()->redirectBack();
}
/** /**
* Log out form handler method * Log out form handler method