[open-ils-commits] [GIT] Evergreen ILS branch rel_2_1 updated. 3957f63b56713f6f0f3273813cb07269621d842b
Evergreen Git
git at git.evergreen-ils.org
Wed Jun 13 11:33:25 EDT 2012
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_1 has been updated
via 3957f63b56713f6f0f3273813cb07269621d842b (commit)
via bc98cea611d82fceb84689dabefcc87bebe56394 (commit)
via a9685a919941f2ad2a33cc4f6c13256e522b1291 (commit)
from 87994668254d199213d51a2cb8b6db0532f67e48 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3957f63b56713f6f0f3273813cb07269621d842b
Author: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Date: Tue Jun 12 17:26:39 2012 -0400
Security fix: For auth, give same stacktrace for all cases of LOGIN_FAILED
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index 9a31a9f..b1216ad 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -576,6 +576,12 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
const char* ws = (workstation) ? workstation : "";
+ /* Use __FILE__, harmless_line_number for creating
+ * OILS_EVENT_AUTH_FAILED events (instead of OSRF_LOG_MARK) to avoid
+ * giving away information about why an authentication attempt failed.
+ */
+ int harmless_line_number = __LINE__;
+
if( !type )
type = OILS_AUTH_STAFF;
@@ -643,7 +649,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
}
if(!userObj || barred || deleted) {
- response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
+ response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED );
osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s",
uname, (barcode ? barcode : "(none)"), ws );
osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
@@ -670,7 +676,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
if( passOK )
response = oilsNewEvent( OSRF_LOG_MARK, "PATRON_INACTIVE" );
else
- response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
+ response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED );
osrfAppRespondComplete( ctx, oilsEventToJSON(response) );
oilsEventFree(response);
@@ -725,7 +731,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
response = oilsAuthHandleLoginOK( userObj, uname, type, orgloc, workstation );
} else {
- response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
+ response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED );
osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s",
uname, (barcode ? barcode : "(none)"), ws );
}
commit bc98cea611d82fceb84689dabefcc87bebe56394
Author: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Date: Mon Jun 11 14:16:34 2012 -0400
Security fix: Prevent login by deleted and barred users
An existing comment in the code suggested that we thought we were already
keeping barred users out. LP #1010671 brings up that deleted users were
not being kept out.
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
Signed-off-by: Mike Rylander <mrylander at gmail.com>
diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c
index b171995..9a31a9f 100644
--- a/Open-ILS/src/c-apps/oils_auth.c
+++ b/Open-ILS/src/c-apps/oils_auth.c
@@ -629,7 +629,20 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
}
}
- if(!userObj) {
+ int barred = 0, deleted = 0;
+ char *barred_str, *deleted_str;
+
+ if(userObj) {
+ barred_str = oilsFMGetString( userObj, "barred" );
+ barred = oilsUtilsIsDBTrue( barred_str );
+ free( barred_str );
+
+ deleted_str = oilsFMGetString( userObj, "deleted" );
+ deleted = oilsUtilsIsDBTrue( deleted_str );
+ free( deleted_str );
+ }
+
+ if(!userObj || barred || deleted) {
response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED );
osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s",
uname, (barcode ? barcode : "(none)"), ws );
@@ -638,7 +651,8 @@ int oilsAuthComplete( osrfMethodContext* ctx ) {
return 0; // No such user
}
- // Such a user exists. Now see if he or she has the right credentials.
+ // Such a user exists and isn't barred or deleted.
+ // Now see if he or she has the right credentials.
int passOK = -1;
if(uname)
passOK = oilsAuthVerifyPassword( ctx, userObj, uname, password );
commit a9685a919941f2ad2a33cc4f6c13256e522b1291
Author: Jason Stephenson <jstephenson at mvlc.org>
Date: Mon Jun 11 16:12:54 2012 -0400
Security fix for Launchpad Bug 1003052.
Bug reported by James Fournie:
Revoking the UPDATE_MARC permission doesn't actually seem to prevent a
user from editing a record. Our use case is that we would like a user
to create new records but not edit existing MARC records.
Changing CREATE_MARC to UPDATE_MARC in OpenILS::Application::Cat's
biblio_record_replace_marc() method seems to fix the problem.
Signed-off-by: Jason Stephenson <jstephenson at mvlc.org>
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
index 974390e..fc9b51f 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
@@ -157,7 +157,7 @@ sub biblio_record_replace_marc {
my( $self, $conn, $auth, $recid, $newxml, $source ) = @_;
my $e = new_editor(authtoken=>$auth, xact=>1);
return $e->die_event unless $e->checkauth;
- return $e->die_event unless $e->allowed('CREATE_MARC', $e->requestor->ws_ou);
+ return $e->die_event unless $e->allowed('UPDATE_MARC', $e->requestor->ws_ou);
my $fix_tcn = $self->api_name =~ /replace/o;
my $override = $self->api_name =~ /override/o;
-----------------------------------------------------------------------
Summary of changes:
Open-ILS/src/c-apps/oils_auth.c | 30 ++++++++++++++++---
.../src/perlmods/lib/OpenILS/Application/Cat.pm | 2 +-
2 files changed, 26 insertions(+), 6 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list