From 53bca0e2941992629299cdd14274fea02affa9cf Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 10 Jan 2024 20:36:53 +0100 Subject: [PATCH 1/6] seed_pass_verify() checks strictly hash amd md5 of password --- inc/inc.Utils.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/inc.Utils.php b/inc/inc.Utils.php index 11460eef5..f71e032dd 100644 --- a/inc/inc.Utils.php +++ b/inc/inc.Utils.php @@ -963,7 +963,7 @@ function seed_pass_hash($password) { /* {{{ */ * @return string hashed password */ function seed_pass_verify($password, $hash) { /* {{{ */ - return $hash == md5($password); + return $hash === md5($password); } /* }}} */ /** From 255fb594161cb42e39f237754deada82f62a3304 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 10 Jan 2024 20:37:49 +0100 Subject: [PATCH 2/6] do not allow url parameter 'action' if calling Login controller --- op/op.Login.php | 7 +++++++ webdav/webdav.php | 8 ++++++++ 2 files changed, 15 insertions(+) diff --git a/op/op.Login.php b/op/op.Login.php index 1ea6c36af..40ea3051c 100644 --- a/op/op.Login.php +++ b/op/op.Login.php @@ -82,6 +82,7 @@ else if (isset($_GET["referuri"]) && strlen($_GET["referuri"])>0) { add_log_line(); +$controller->setParam('action', 'run'); // Force action run to be called, prevents overriding action with url parameter $controller->setParam('login', $login); $controller->setParam('pwd', $pwd); $controller->setParam('source', 'web'); @@ -98,6 +99,12 @@ if(!$controller()) { } $user = $controller->getUser(); +if(!$user) { + $session = null; + add_log_line("login failed", PEAR_LOG_ERR); + _printMessage(getMLText('login_error_text'), getMLText('login_error_text')."\n"); + exit; +} if (isset($referuri) && strlen($referuri)>0) { header("Location: " . getBaseUrl() . $referuri); diff --git a/webdav/webdav.php b/webdav/webdav.php index bebdf1796..11ea7566c 100644 --- a/webdav/webdav.php +++ b/webdav/webdav.php @@ -173,6 +173,7 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server $controller = Controller::factory('Login', array('dms'=>$this->dms)); $controller->setParam('authenticator', $this->authenticator); + $controller->setParam('action', 'run'); $controller->setParam('login', $user); $controller->setParam('pwd', $pass); $controller->setParam('lang', $this->settings->_language); @@ -190,6 +191,13 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server $this->logger->log('check_auth: type='.$type.', user='.$user.' authenticated', PEAR_LOG_INFO); $this->user = $controller->getUser(); + if(!$this->user) { + if($this->logger) { + $this->logger->log($controller->getErrorMsg(), PEAR_LOG_NOTICE); + $this->logger->log('check_auth: error authenicating user '.$user, PEAR_LOG_NOTICE); + } + return false; + } return true; } /* }}} */ From 8f945181c549f7431813efe2ce91139c945ce3eb Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 10 Jan 2024 20:38:43 +0100 Subject: [PATCH 3/6] add changes for 5.1.33 --- CHANGELOG | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG b/CHANGELOG index 92aab79b6..d818bbb29 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -21,6 +21,7 @@ - minor improvements in restapi - update layout of tab for attachments - remove session when calling logout of restapi +- fix some potential security issues -------------------------------------------------------------------------------- Changes in version 5.1.32 From d94366c918f0a7f69a782bd140116a77b3b1c543 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 10 Jan 2024 21:51:19 +0100 Subject: [PATCH 4/6] update to jquery 3.71 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index cf8485b8a..d7881fe39 100644 --- a/package.json +++ b/package.json @@ -26,7 +26,7 @@ "grunt-contrib-clean": "^2.0.0", "grunt-contrib-copy": "^1.0.0", "jqtree": "^1.5.1", - "jquery": "^1.12.4", + "jquery": "^3.7.1", "jquery-typeahead": "^2.11.1", "jquery-validation": "^1.19.2", "moment": "^2.29.1", From dd40e979e7503dffec16d58fcd958cac3fe2976e Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 10 Jan 2024 22:18:03 +0100 Subject: [PATCH 5/6] update spectrum-colorpicker2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d7881fe39..91e93220d 100644 --- a/package.json +++ b/package.json @@ -34,7 +34,7 @@ "perfect-scrollbar": "^1.5.0", "popper.js": "^1.16.1", "select2": "^4.0.13", - "spectrum-colorpicker2": "^2.0.8", + "spectrum-colorpicker2": "^2.0.10", "vis-timeline": "^7.4.7" } } From 4b761a95a1ab1b85a16751136dc6f5c2148931ba Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Thu, 11 Jan 2024 10:09:56 +0100 Subject: [PATCH 6/6] check if method specified in 'action' is public --- inc/inc.ClassControllerCommon.php | 8 +++++++- inc/inc.ClassViewCommon.php | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/inc/inc.ClassControllerCommon.php b/inc/inc.ClassControllerCommon.php index 2f7d1afa4..cbf2cdafe 100644 --- a/inc/inc.ClassControllerCommon.php +++ b/inc/inc.ClassControllerCommon.php @@ -73,7 +73,13 @@ class SeedDMS_Controller_Common { if(!$this->callHook('preRun', get_class($this), $action ? $action : 'run')) { if($action) { if(method_exists($this, $action)) { - return $this->{$action}(); + $refl = new ReflectionMethod($this, $action); + if($refl->isPublic()) + return $this->{$action}(); + else { + echo "Action '".$action."' not public"; + return false; + } } else { echo "Missing action '".$action."'"; return false; diff --git a/inc/inc.ClassViewCommon.php b/inc/inc.ClassViewCommon.php index b75a7a0a8..b63b2ef2e 100644 --- a/inc/inc.ClassViewCommon.php +++ b/inc/inc.ClassViewCommon.php @@ -69,7 +69,13 @@ class SeedDMS_View_Common { if(!$this->callHook('preRun', get_class($this), $action ? $action : 'show')) { if($action) { if(method_exists($this, $action)) { - $this->{$action}(); + $refl = new ReflectionMethod($this, $action); + if($refl->isPublic()) + $this->{$action}(); + else { + echo "Action '".$action."' not public"; + return false; + } } else { echo "Missing action '".htmlspecialchars($action)."'"; }