From 819cd1d667090c5b0cee9fc525dd312fe647c978 Mon Sep 17 00:00:00 2001 From: nate Date: Thu, 20 Mar 2008 19:18:52 +0000 Subject: [PATCH] Re-removing the Auth vulnerability re-introduced in [6593] git-svn-id: https://svn.cakephp.org/repo/branches/1.2.x.x@6595 3807eeeb-6ff5-0310-8944-8be069107fe0 --- cake/libs/controller/components/auth.php | 13 ++----- .../libs/controller/components/auth.test.php | 38 +++++++++++++++++++ 2 files changed, 42 insertions(+), 9 deletions(-) diff --git a/cake/libs/controller/components/auth.php b/cake/libs/controller/components/auth.php index e5af3ad53..e6b639821 100644 --- a/cake/libs/controller/components/auth.php +++ b/cake/libs/controller/components/auth.php @@ -722,10 +722,7 @@ class AuthComponent extends Object { } elseif (is_array($user) && isset($user[$this->userModel])) { $user = $user[$this->userModel]; } - $debug = false; - if ($debug = Configure::read('debug')) { - Configure::write('debug', 0); - } + if (is_array($user) && (isset($user[$this->fields['username']]) || isset($user[$this->userModel . '.' . $this->fields['username']]))) { if (isset($user[$this->fields['username']]) && !empty($user[$this->fields['username']]) && !empty($user[$this->fields['password']])) { @@ -741,8 +738,8 @@ class AuthComponent extends Object { return false; } $find = array( - $this->fields['username'] => $user[$this->userModel . '.' . $this->fields['username']], - $this->fields['password'] => $user[$this->userModel . '.' . $this->fields['password']] + $this->fields['username'] => '= ' . $user[$this->userModel . '.' . $this->fields['username']], + $this->fields['password'] => '= ' . $user[$this->userModel . '.' . $this->fields['password']] ); } else { return false; @@ -760,9 +757,7 @@ class AuthComponent extends Object { return null; } } - if ($debug) { - Configure::write('debug', $debug); - } + if (isset($data) && !empty($data)) { if (!empty($data[$this->userModel][$this->fields['password']])) { unset($data[$this->userModel][$this->fields['password']]); diff --git a/cake/tests/cases/libs/controller/components/auth.test.php b/cake/tests/cases/libs/controller/components/auth.test.php index b77771795..7c75f300d 100644 --- a/cake/tests/cases/libs/controller/components/auth.test.php +++ b/cake/tests/cases/libs/controller/components/auth.test.php @@ -377,6 +377,44 @@ class AuthTest extends CakeTestCase { $this->Controller->Session->del('Auth'); } + function testInjection() { + $this->AuthUser =& new AuthUser(); + Configure::write('debug', 1); + $this->AuthUser->id = 2; + $this->AuthUser->saveField('password', Security::hash(Configure::read('Security.salt') . 'cake')); + + $this->Controller->data['AuthUser']['username'] = 'nate'; + $this->Controller->data['AuthUser']['password'] = 'cake'; + $this->Controller->params['url']['url'] = 'auth_test/login'; + $this->Controller->Auth->initialize($this->Controller); + + $this->Controller->Auth->loginAction = 'auth_test/login'; + $this->Controller->Auth->userModel = 'AuthUser'; + $this->Controller->Auth->startup($this->Controller); + $this->assertTrue(is_array($this->Controller->Auth->user())); + + $this->Controller->Session->del($this->Controller->Auth->sessionKey); + + $this->Controller->data['AuthUser']['username'] = 'nate'; + $this->Controller->data['AuthUser']['password'] = 'cake1'; + $this->Controller->params['url']['url'] = 'auth_test/login'; + $this->Controller->Auth->initialize($this->Controller); + + $this->Controller->Auth->loginAction = 'auth_test/login'; + $this->Controller->Auth->userModel = 'AuthUser'; + $this->Controller->Auth->startup($this->Controller); + $this->assertTrue(is_null($this->Controller->Auth->user())); + + $this->Controller->Session->del($this->Controller->Auth->sessionKey); + + $this->Controller->data['AuthUser']['username'] = '> n'; + $this->Controller->data['AuthUser']['password'] = 'cake'; + $this->Controller->Auth->initialize($this->Controller); + + $this->Controller->Auth->startup($this->Controller); + $this->assertTrue(is_null($this->Controller->Auth->user())); + } + function tearDown() { unset($this->Controller, $this->AuthUser); }