[open-ils-commits] [GIT] Evergreen ILS branch rel_2_2 updated. 2b8b05e91cc60c0905fc70e81cc5f0439e136c25
Evergreen Git
git at git.evergreen-ils.org
Wed Jun 13 11:32:34 EDT 2012
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_2 has been updated
via 2b8b05e91cc60c0905fc70e81cc5f0439e136c25 (commit)
via a240047ce1181d080dbaeb781da5b07cf4ed7033 (commit)
via a01a0dd51c932da0c5236002610d905035edb570 (commit)
from ee3ed2229e9bcc920e4aba8b7eabe3d3c72a0ee6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 2b8b05e91cc60c0905fc70e81cc5f0439e136c25
Author: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Date: Tue Jun 12 17:26:39 2012 -0400
Security fix: For auth, give same stacktrace for all cases of LOGIN_FAILED
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index f19015c..2c7086a 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -589,6 +589,12 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
const char* ws = (workstation) ? workstation : "";
+ /* Use __FILE__, harmless_line_number for creating
+ * OILS_EVENT_AUTH_FAILED events (instead of OSRF_LOG_MARK) to avoid
+ * giving away information about why an authentication attempt failed.
+ */
+ int harmless_line_number = __LINE__;
+
if( !type )
type = OILS_AUTH_STAFF;
@@ -656,7 +662,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
}
if(!userObj || barred || deleted) {
- response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
+ response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED );
osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s",
uname, (barcode ? barcode : "(none)"), ws );
osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
@@ -683,7 +689,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
if( passOK )
response = oilsNewEvent( OSRF_LOG_MARK, "PATRON_INACTIVE" );
else
- response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
+ response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED );
osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
oilsEventFree(response);
@@ -753,7 +759,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
);
} else {
- response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
+ response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED );
osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s",
uname, (barcode ? barcode : "(none)"), ws );
}
commit a240047ce1181d080dbaeb781da5b07cf4ed7033
Author: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Date: Mon Jun 11 14:16:34 2012 -0400
Security fix: Prevent login by deleted and barred users
An existing comment in the code suggested that we thought we were already
keeping barred users out. LP #1010671 brings up that deleted users were
not being kept out.
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Signed-off-by: Mike Rylander <mrylander at gmail.com>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index 121e5dc..f19015c 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -642,7 +642,20 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
}
}
- if(!userObj) {
+ int barred = 0, deleted = 0;
+ char *barred_str, *deleted_str;
+
+ if(userObj) {
+ barred_str = oilsFMGetString( userObj, "barred" );
+ barred = oilsUtilsIsDBTrue( barred_str );
+ free( barred_str );
+
+ deleted_str = oilsFMGetString( userObj, "deleted" );
+ deleted = oilsUtilsIsDBTrue( deleted_str );
+ free( deleted_str );
+ }
+
+ if(!userObj || barred || deleted) {
response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s",
uname, (barcode ? barcode : "(none)"), ws );
@@ -651,7 +664,8 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
return 0; // No such user
}
- // Such a user exists. Now see if he or she has the right credentials.
+ // Such a user exists and isn't barred or deleted.
+ // Now see if he or she has the right credentials.
int passOK = -1;
if(uname)
passOK = oilsAuthVerifyPassword( ctx, userObj, uname, password );
commit a01a0dd51c932da0c5236002610d905035edb570
Author: Jason Stephenson <jstephenson at mvlc.org>
Date: Mon Jun 11 16:12:54 2012 -0400
Security fix for Launchpad Bug 1003052.
Bug reported by James Fournie:
Revoking the UPDATE_MARC permission doesn't actually seem to prevent a
user from editing a record. Our use case is that we would like a user
to create new records but not edit existing MARC records.
Changing CREATE_MARC to UPDATE_MARC in OpenILS::Application::Cat's
biblio_record_replace_marc() method seems to fix the problem.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
index e1d2c82..d0307a8 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
@@ -158,7 +158,7 @@ sub biblio_record_replace_marc {
my( $self, $conn, $auth, $recid, $newxml, $source ) = @_;
my $e = new_editor(authtoken=>$auth, xact=>1);
return $e->die_event unless $e->checkauth;
- return $e->die_event unless $e->allowed('CREATE_MARC', $e->requestor->ws_ou);
+ return $e->die_event unless $e->allowed('UPDATE_MARC', $e->requestor->ws_ou);
my $fix_tcn = $self->api_name =~ /replace/o;
my $override = $self->api_name =~ /override/o;
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/src/c-apps/oils_auth.c | 30 ++++++++++++++++---
.../src/perlmods/lib/OpenILS/Application/Cat.pm | 2 +-
2 files changed, 26 insertions(+), 6 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list