1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-29 00:40:57 +01:00

Store hash of session key

Summary:
This prevents security by obscurity.
If I have read-only access to the database then I can pretend to be any logged-in user.

I've used `PhabricatorHash::digest()` (even though we don't need salt as the hashed string is random) to be compatible with user log.

Test Plan:
Applied patch.
Verified I'm still logged in.
Logged out.
Logged in.

  $ arc tasks

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D6080
This commit is contained in:
Jakub Vrana 2013-05-30 17:30:06 -07:00
parent 4295de508f
commit 32f91557f8
5 changed files with 32 additions and 6 deletions

View file

@ -0,0 +1,22 @@
<?php
$table = new PhabricatorUser();
$table->openTransaction();
$conn = $table->establishConnection('w');
$sessions = queryfx_all(
$conn,
'SELECT userPHID, type, sessionKey FROM %T FOR UPDATE',
PhabricatorUser::SESSION_TABLE);
foreach ($sessions as $session) {
queryfx(
$conn,
'UPDATE %T SET sessionKey = %s WHERE userPHID = %s AND type = %s',
PhabricatorUser::SESSION_TABLE,
PhabricatorHash::digest($session['sessionKey']),
$session['userPHID'],
$session['type']);
}
$table->saveTransaction();

View file

@ -52,7 +52,7 @@ abstract class PhabricatorController extends AphrontController {
$user->getTableName(),
'phabricator_session',
'web-',
$phsid);
PhabricatorHash::digest($phsid));
if ($info) {
$user->loadFromArray($info);
}

View file

@ -283,7 +283,7 @@ final class PhabricatorConduitAPIController
id(new PhabricatorUser())->establishConnection('r'),
'SELECT * FROM %T WHERE sessionKey = %s',
PhabricatorUser::SESSION_TABLE,
$session_key);
PhabricatorHash::digest($session_key));
if (!$session) {
return array(
'ERR-INVALID-SESSION',

View file

@ -290,7 +290,7 @@ final class PhabricatorUser extends PhabricatorUserDAO implements PhutilPerson {
$try_type = $session_type.'-'.$ii;
if (!in_array($try_type, $existing_sessions)) {
$establish_type = $try_type;
$expect_key = $session_key;
$expect_key = PhabricatorHash::digest($session_key);
$existing_sessions[] = $try_type;
// Ensure the row exists so we can issue an update below. We don't
@ -302,7 +302,7 @@ final class PhabricatorUser extends PhabricatorUserDAO implements PhutilPerson {
self::SESSION_TABLE,
$this->getPHID(),
$establish_type,
$session_key);
PhabricatorHash::digest($session_key));
break;
}
}
@ -325,7 +325,7 @@ final class PhabricatorUser extends PhabricatorUserDAO implements PhutilPerson {
'UPDATE %T SET sessionKey = %s, sessionStart = UNIX_TIMESTAMP()
WHERE userPHID = %s AND type = %s AND sessionKey = %s',
self::SESSION_TABLE,
$session_key,
PhabricatorHash::digest($session_key),
$this->getPHID(),
$establish_type,
$expect_key);
@ -365,7 +365,7 @@ final class PhabricatorUser extends PhabricatorUserDAO implements PhutilPerson {
'DELETE FROM %T WHERE userPHID = %s AND sessionKey = %s',
self::SESSION_TABLE,
$this->getPHID(),
$session_key);
PhabricatorHash::digest($session_key));
}
private function generateEmailToken(

View file

@ -1326,6 +1326,10 @@ final class PhabricatorBuiltinPatchList extends PhabricatorSQLPatchList {
'type' => 'php',
'name' => $this->getPatchPath('20130529.macroauthormig.php'),
),
'20130530.sessionhash.php' => array(
'type' => 'php',
'name' => $this->getPatchPath('20130530.sessionhash.php'),
),
);
}
}