mirror of
https://we.phorge.it/source/phorge.git
synced 2025-01-02 19:01:03 +01:00
Store hash of session key
Summary: This prevents security by obscurity. If I have read-only access to the database then I can pretend to be any logged-in user. I've used `PhabricatorHash::digest()` (even though we don't need salt as the hashed string is random) to be compatible with user log. Test Plan: Applied patch. Verified I'm still logged in. Logged out. Logged in. $ arc tasks Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D6080
This commit is contained in:
parent
4295de508f
commit
32f91557f8
5 changed files with 32 additions and 6 deletions
22
resources/sql/patches/20130530.sessionhash.php
Normal file
22
resources/sql/patches/20130530.sessionhash.php
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
$table = new PhabricatorUser();
|
||||||
|
$table->openTransaction();
|
||||||
|
$conn = $table->establishConnection('w');
|
||||||
|
|
||||||
|
$sessions = queryfx_all(
|
||||||
|
$conn,
|
||||||
|
'SELECT userPHID, type, sessionKey FROM %T FOR UPDATE',
|
||||||
|
PhabricatorUser::SESSION_TABLE);
|
||||||
|
|
||||||
|
foreach ($sessions as $session) {
|
||||||
|
queryfx(
|
||||||
|
$conn,
|
||||||
|
'UPDATE %T SET sessionKey = %s WHERE userPHID = %s AND type = %s',
|
||||||
|
PhabricatorUser::SESSION_TABLE,
|
||||||
|
PhabricatorHash::digest($session['sessionKey']),
|
||||||
|
$session['userPHID'],
|
||||||
|
$session['type']);
|
||||||
|
}
|
||||||
|
|
||||||
|
$table->saveTransaction();
|
|
@ -52,7 +52,7 @@ abstract class PhabricatorController extends AphrontController {
|
||||||
$user->getTableName(),
|
$user->getTableName(),
|
||||||
'phabricator_session',
|
'phabricator_session',
|
||||||
'web-',
|
'web-',
|
||||||
$phsid);
|
PhabricatorHash::digest($phsid));
|
||||||
if ($info) {
|
if ($info) {
|
||||||
$user->loadFromArray($info);
|
$user->loadFromArray($info);
|
||||||
}
|
}
|
||||||
|
|
|
@ -283,7 +283,7 @@ final class PhabricatorConduitAPIController
|
||||||
id(new PhabricatorUser())->establishConnection('r'),
|
id(new PhabricatorUser())->establishConnection('r'),
|
||||||
'SELECT * FROM %T WHERE sessionKey = %s',
|
'SELECT * FROM %T WHERE sessionKey = %s',
|
||||||
PhabricatorUser::SESSION_TABLE,
|
PhabricatorUser::SESSION_TABLE,
|
||||||
$session_key);
|
PhabricatorHash::digest($session_key));
|
||||||
if (!$session) {
|
if (!$session) {
|
||||||
return array(
|
return array(
|
||||||
'ERR-INVALID-SESSION',
|
'ERR-INVALID-SESSION',
|
||||||
|
|
|
@ -290,7 +290,7 @@ final class PhabricatorUser extends PhabricatorUserDAO implements PhutilPerson {
|
||||||
$try_type = $session_type.'-'.$ii;
|
$try_type = $session_type.'-'.$ii;
|
||||||
if (!in_array($try_type, $existing_sessions)) {
|
if (!in_array($try_type, $existing_sessions)) {
|
||||||
$establish_type = $try_type;
|
$establish_type = $try_type;
|
||||||
$expect_key = $session_key;
|
$expect_key = PhabricatorHash::digest($session_key);
|
||||||
$existing_sessions[] = $try_type;
|
$existing_sessions[] = $try_type;
|
||||||
|
|
||||||
// Ensure the row exists so we can issue an update below. We don't
|
// Ensure the row exists so we can issue an update below. We don't
|
||||||
|
@ -302,7 +302,7 @@ final class PhabricatorUser extends PhabricatorUserDAO implements PhutilPerson {
|
||||||
self::SESSION_TABLE,
|
self::SESSION_TABLE,
|
||||||
$this->getPHID(),
|
$this->getPHID(),
|
||||||
$establish_type,
|
$establish_type,
|
||||||
$session_key);
|
PhabricatorHash::digest($session_key));
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -325,7 +325,7 @@ final class PhabricatorUser extends PhabricatorUserDAO implements PhutilPerson {
|
||||||
'UPDATE %T SET sessionKey = %s, sessionStart = UNIX_TIMESTAMP()
|
'UPDATE %T SET sessionKey = %s, sessionStart = UNIX_TIMESTAMP()
|
||||||
WHERE userPHID = %s AND type = %s AND sessionKey = %s',
|
WHERE userPHID = %s AND type = %s AND sessionKey = %s',
|
||||||
self::SESSION_TABLE,
|
self::SESSION_TABLE,
|
||||||
$session_key,
|
PhabricatorHash::digest($session_key),
|
||||||
$this->getPHID(),
|
$this->getPHID(),
|
||||||
$establish_type,
|
$establish_type,
|
||||||
$expect_key);
|
$expect_key);
|
||||||
|
@ -365,7 +365,7 @@ final class PhabricatorUser extends PhabricatorUserDAO implements PhutilPerson {
|
||||||
'DELETE FROM %T WHERE userPHID = %s AND sessionKey = %s',
|
'DELETE FROM %T WHERE userPHID = %s AND sessionKey = %s',
|
||||||
self::SESSION_TABLE,
|
self::SESSION_TABLE,
|
||||||
$this->getPHID(),
|
$this->getPHID(),
|
||||||
$session_key);
|
PhabricatorHash::digest($session_key));
|
||||||
}
|
}
|
||||||
|
|
||||||
private function generateEmailToken(
|
private function generateEmailToken(
|
||||||
|
|
|
@ -1326,6 +1326,10 @@ final class PhabricatorBuiltinPatchList extends PhabricatorSQLPatchList {
|
||||||
'type' => 'php',
|
'type' => 'php',
|
||||||
'name' => $this->getPatchPath('20130529.macroauthormig.php'),
|
'name' => $this->getPatchPath('20130529.macroauthormig.php'),
|
||||||
),
|
),
|
||||||
|
'20130530.sessionhash.php' => array(
|
||||||
|
'type' => 'php',
|
||||||
|
'name' => $this->getPatchPath('20130530.sessionhash.php'),
|
||||||
|
),
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue