[open-ils-commits] [GIT] Evergreen ILS branch master updated. 5f3743508d44a679ba71ec9aea88e04f3af61b19
Evergreen Git
git at git.evergreen-ils.org
Wed Jun 13 11:31:15 EDT 2012
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, master has been updated
via 5f3743508d44a679ba71ec9aea88e04f3af61b19 (commit)
via 300dc300beb72524f79cbf6216933588c7d87c87 (commit)
via e524c68ffba4cc7fb342b280409c810cec4b259f (commit)
from 664516c733997dfa1954a7ce6cb80a4a153cb07c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 5f3743508d44a679ba71ec9aea88e04f3af61b19
Author: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Date: Tue Jun 12 17:26:39 2012 -0400
Security fix: For auth, give same stacktrace for all cases of LOGIN_FAILED
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index f19015c..2c7086a 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -589,6 +589,12 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
const char* ws = (workstation) ? workstation : "";
+ /* Use __FILE__, harmless_line_number for creating
+ * OILS_EVENT_AUTH_FAILED events (instead of OSRF_LOG_MARK) to avoid
+ * giving away information about why an authentication attempt failed.
+ */
+ int harmless_line_number = __LINE__;
+
if( !type )
type = OILS_AUTH_STAFF;
@@ -656,7 +662,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
}
if(!userObj || barred || deleted) {
- response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
+ response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED );
osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s",
uname, (barcode ? barcode : "(none)"), ws );
osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
@@ -683,7 +689,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
if( passOK )
response = oilsNewEvent( OSRF_LOG_MARK, "PATRON_INACTIVE" );
else
- response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
+ response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED );
osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
oilsEventFree(response);
@@ -753,7 +759,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
);
} else {
- response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
+ response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED );
osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s",
uname, (barcode ? barcode : "(none)"), ws );
}
commit 300dc300beb72524f79cbf6216933588c7d87c87
Author: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Date: Mon Jun 11 14:16:34 2012 -0400
Security fix: Prevent login by deleted and barred users
An existing comment in the code suggested that we thought we were already
keeping barred users out. LP #1010671 brings up that deleted users were
not being kept out.
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Signed-off-by: Mike Rylander <mrylander at gmail.com>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index 121e5dc..f19015c 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -642,7 +642,20 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
}
}
- if(!userObj) {
+ int barred = 0, deleted = 0;
+ char *barred_str, *deleted_str;
+
+ if(userObj) {
+ barred_str = oilsFMGetString( userObj, "barred" );
+ barred = oilsUtilsIsDBTrue( barred_str );
+ free( barred_str );
+
+ deleted_str = oilsFMGetString( userObj, "deleted" );
+ deleted = oilsUtilsIsDBTrue( deleted_str );
+ free( deleted_str );
+ }
+
+ if(!userObj || barred || deleted) {
response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s",
uname, (barcode ? barcode : "(none)"), ws );
@@ -651,7 +664,8 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
return 0; // No such user
}
- // Such a user exists. Now see if he or she has the right credentials.
+ // Such a user exists and isn't barred or deleted.
+ // Now see if he or she has the right credentials.
int passOK = -1;
if(uname)
passOK = oilsAuthVerifyPassword( ctx, userObj, uname, password );
commit e524c68ffba4cc7fb342b280409c810cec4b259f
Author: Jason Stephenson <jstephenson at mvlc.org>
Date: Mon Jun 11 16:12:54 2012 -0400
Security fix for Launchpad Bug 1003052.
Bug reported by James Fournie:
Revoking the UPDATE_MARC permission doesn't actually seem to prevent a
user from editing a record. Our use case is that we would like a user
to create new records but not edit existing MARC records.
Changing CREATE_MARC to UPDATE_MARC in OpenILS::Application::Cat's
biblio_record_replace_marc() method seems to fix the problem.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
index a442aff..b9b79be 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
@@ -159,7 +159,7 @@ sub biblio_record_replace_marc {
my( $self, $conn, $auth, $recid, $newxml, $source, $oargs ) = @_;
my $e = new_editor(authtoken=>$auth, xact=>1);
return $e->die_event unless $e->checkauth;
- return $e->die_event unless $e->allowed('CREATE_MARC', $e->requestor->ws_ou);
+ return $e->die_event unless $e->allowed('UPDATE_MARC', $e->requestor->ws_ou);
my $fix_tcn = $self->api_name =~ /replace/o;
if($self->api_name =~ /override/o) {
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/src/c-apps/oils_auth.c | 30 ++++++++++++++++---
.../src/perlmods/lib/OpenILS/Application/Cat.pm | 2 +-
2 files changed, 26 insertions(+), 6 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list