diff --git a/CHANGELOG b/CHANGELOG index fbee2e85e..fed1199b0 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -294,6 +294,7 @@ - minor improvements in restapi - update layout of tab for attachments - remove session when calling logout of restapi +- fix some potential security issues -------------------------------------------------------------------------------- Changes in version 5.1.32 diff --git a/inc/inc.ClassControllerCommon.php b/inc/inc.ClassControllerCommon.php index bb74f403d..2421ff061 100644 --- a/inc/inc.ClassControllerCommon.php +++ b/inc/inc.ClassControllerCommon.php @@ -73,7 +73,13 @@ class SeedDMS_Controller_Common { if(!$this->callHook('preRun', get_class($this), $action ? $action : 'run')) { if($action) { if(method_exists($this, $action)) { - return $this->{$action}(); + $refl = new ReflectionMethod($this, $action); + if($refl->isPublic()) + return $this->{$action}(); + else { + echo "Action '".$action."' not public"; + return false; + } } else { echo "Missing action '".$action."'"; return false; diff --git a/inc/inc.ClassViewCommon.php b/inc/inc.ClassViewCommon.php index fd7a32151..737ac8c00 100644 --- a/inc/inc.ClassViewCommon.php +++ b/inc/inc.ClassViewCommon.php @@ -69,7 +69,13 @@ class SeedDMS_View_Common { if(!$this->callHook('preRun', get_class($this), $action ? $action : 'show')) { if($action) { if(method_exists($this, $action)) { - $this->{$action}(); + $refl = new ReflectionMethod($this, $action); + if($refl->isPublic()) + $this->{$action}(); + else { + echo "Action '".$action."' not public"; + return false; + } } else { echo "Missing action '".htmlspecialchars($action)."'"; } diff --git a/inc/inc.Utils.php b/inc/inc.Utils.php index fe26f863b..263e082b6 100644 --- a/inc/inc.Utils.php +++ b/inc/inc.Utils.php @@ -975,7 +975,7 @@ function seed_pass_hash($password) { /* {{{ */ * @return string hashed password */ function seed_pass_verify($password, $hash) { /* {{{ */ - return $hash == md5($password); + return $hash === md5($password); } /* }}} */ function resolveTask($task) { /* {{{ */ diff --git a/op/op.Login.php b/op/op.Login.php index 1ea6c36af..40ea3051c 100644 --- a/op/op.Login.php +++ b/op/op.Login.php @@ -82,6 +82,7 @@ else if (isset($_GET["referuri"]) && strlen($_GET["referuri"])>0) { add_log_line(); +$controller->setParam('action', 'run'); // Force action run to be called, prevents overriding action with url parameter $controller->setParam('login', $login); $controller->setParam('pwd', $pwd); $controller->setParam('source', 'web'); @@ -98,6 +99,12 @@ if(!$controller()) { } $user = $controller->getUser(); +if(!$user) { + $session = null; + add_log_line("login failed", PEAR_LOG_ERR); + _printMessage(getMLText('login_error_text'), getMLText('login_error_text')."\n"); + exit; +} if (isset($referuri) && strlen($referuri)>0) { header("Location: " . getBaseUrl() . $referuri); diff --git a/package.json b/package.json index aa7c2d000..5c880bffb 100644 --- a/package.json +++ b/package.json @@ -26,7 +26,7 @@ "grunt-contrib-clean": "^2.0.0", "grunt-contrib-copy": "^1.0.0", "jqtree": "^1.5.1", - "jquery": "^1.12.4", + "jquery": "^3.7.1", "jquery-typeahead": "^2.11.1", "jquery-validation": "^1.19.2", "moment": "^2.29.1", @@ -35,7 +35,7 @@ "perfect-scrollbar": "^1.5.0", "popper.js": "^1.16.1", "select2": "^4.0.13", - "spectrum-colorpicker2": "^2.0.8", + "spectrum-colorpicker2": "^2.0.10", "vis-timeline": "^7.4.7" } } diff --git a/webdav/webdav.php b/webdav/webdav.php index cb551683d..89f119882 100644 --- a/webdav/webdav.php +++ b/webdav/webdav.php @@ -173,6 +173,7 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server $controller = Controller::factory('Login', array('dms'=>$this->dms)); $controller->setParam('authenticator', $this->authenticator); + $controller->setParam('action', 'run'); $controller->setParam('login', $user); $controller->setParam('pwd', $pass); $controller->setParam('lang', $this->settings->_language); @@ -190,6 +191,13 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server $this->logger->log('check_auth: type='.$type.', user='.$user.' authenticated', PEAR_LOG_INFO); $this->user = $controller->getUser(); + if(!$this->user) { + if($this->logger) { + $this->logger->log($controller->getErrorMsg(), PEAR_LOG_NOTICE); + $this->logger->log('check_auth: error authenicating user '.$user, PEAR_LOG_NOTICE); + } + return false; + } return true; } /* }}} */