[aur-dev] [PATCH 1/2] Add a configuration setting to disallow HTTP login
If this is enabled, do not show the login form and display a note suggesting to switch to a secure connection if a user accesses the site via HTTP. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/lib/aur.inc.php | 7 +++++-- web/lib/config.inc.php.proto | 3 +++ web/template/login_form.php | 10 +++++++++- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 0927604..474ebee 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -326,9 +326,12 @@ function html_header($title="") { global $_POST; global $LANG; global $SUPPORTED_LANGS; + global $DISABLE_HTTP_LOGIN; - $login = try_login(); - $login_error = $login['error']; + if (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])) { + $login = try_login(); + $login_error = $login['error']; + } $title = htmlspecialchars($title, ENT_QUOTES); diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto index f710844..0f672ab 100644 --- a/web/lib/config.inc.php.proto +++ b/web/lib/config.inc.php.proto @@ -71,3 +71,6 @@ $PERSISTENT_COOKIE_TIMEOUT = 60 * 60 * 24 * 30; # please ensure "upload_max_filesize" is additionally set to no more than 3M, # otherwise this check might be easy to bypass (FS#22991 for details) $MAX_FILESIZE_UNCOMPRESSED = 1024 * 1024 * 8; + +# Allow HTTPs logins only +$DISABLE_HTTP_LOGIN = true; diff --git a/web/template/login_form.php b/web/template/login_form.php index ca81e0e..b351a27 100644 --- a/web/template/login_form.php +++ b/web/template/login_form.php @@ -6,7 +6,7 @@ if (isset($_COOKIE["AURSID"])) { <a href="logout.php">[<?php print __("Logout"); ?>]</a> <?php } -else { +elseif (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])) { if ($login_error) { print "<span class='error'>" . $login_error . "</span><br />\n"; } @@ -26,5 +26,13 @@ else { <a href="passreset.php">[<?php echo __('Forgot Password') ?>]</a> </div> </form> +<?php +} +else { +?> +<span class='error'> + <?php echo __("HTTP login is disabled. Please switch to HTTPs if you want to login: "); ?> + <a href="https://aur.archlinux.org/">https://aur.archlinux.org/</a> +</span> <?php } ?> </div> -- 1.7.6
As discussed on the mailing list, enable "secure" and "httponly" for session cookies to prevent them from being transferred over insecure connections. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/lib/acctfuncs.inc.php | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index b2f0548..b26d0cf 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -592,6 +592,7 @@ function display_account_info($U="", $T="", $E="", $R="", $I="") { */ function try_login() { global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT; + global $DISABLE_HTTP_LOGIN; $login_error = ""; $new_sid = ""; @@ -658,7 +659,12 @@ function try_login() { else $cookie_time = 0; - setcookie("AURSID", $new_sid, $cookie_time, "/"); + if ($DISABLE_HTTP_LOGIN) { + setcookie("AURSID", $new_sid, $cookie_time, "/", "", true, true); + } + else { + setcookie("AURSID", $new_sid, $cookie_time, "/"); + } header("Location: " . $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']); $login_error = ""; -- 1.7.6
On Thu, 11 Aug 2011 18:06:01 +0200, Lukas Fleischer wrote:
As discussed on the mailing list, enable "secure" and "httponly" for session cookies to prevent them from being transferred over insecure connections.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/lib/acctfuncs.inc.php | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index b2f0548..b26d0cf 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -592,6 +592,7 @@ function display_account_info($U="", $T="", $E="", $R="", $I="") { */ function try_login() { global $MAX_SESSIONS_PER_USER, $PERSISTENT_COOKIE_TIMEOUT; + global $DISABLE_HTTP_LOGIN;
$login_error = ""; $new_sid = ""; @@ -658,7 +659,12 @@ function try_login() { else $cookie_time = 0;
- setcookie("AURSID", $new_sid, $cookie_time, "/"); + if ($DISABLE_HTTP_LOGIN) { + setcookie("AURSID", $new_sid, $cookie_time, "/", "", true, true); + } + else { + setcookie("AURSID", $new_sid, $cookie_time, "/"); + } header("Location: " . $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']); $login_error = "";
You could also allways use a secure cookie when https is used. E.g. see my patch for flyspray: http://projects.archlinux.org/vhosts/bugs.archlinux.org.git/commit/?id=2abba... -- Pierre Schmitz, https://users.archlinux.de/~pierre
As discussed on the mailing list, enable "secure" and "httponly" for session cookies to prevent them from being transferred over insecure connections. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- As Pierre suggested, always enable "secure" if HTTPs is used. This is slightly better as it ensures cookies from a HTTPs login never get transferred in plain text, even if HTTP login is still enabled. web/html/logout.php | 2 +- web/lib/acctfuncs.inc.php | 2 +- web/lib/aur.inc.php | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/web/html/logout.php b/web/html/logout.php index dee6456..1cdf453 100644 --- a/web/html/logout.php +++ b/web/html/logout.php @@ -15,7 +15,7 @@ if (isset($_COOKIE["AURSID"])) { $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; db_query($q, $dbh); # setting expiration to 1 means '1 second after midnight January 1, 1970' - setcookie("AURSID", "", 1, "/"); + setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); unset($_COOKIE['AURSID']); } diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index b2f0548..97fb69b 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -658,7 +658,7 @@ function try_login() { else $cookie_time = 0; - setcookie("AURSID", $new_sid, $cookie_time, "/"); + setcookie("AURSID", $new_sid, $cookie_time, "/", null, !empty($_SERVER['HTTPS']), true); header("Location: " . $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']); $login_error = ""; diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 474ebee..f432697 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -47,7 +47,7 @@ function check_sid($dbh=NULL) { # clear out the hacker's cookie, and send them to a naughty page # why do you have to be so harsh on these people!? # - setcookie("AURSID", "", 1, "/"); + setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); unset($_COOKIE['AURSID']); } elseif ($failed == 2) { # session id timeout was reached and they must login again. @@ -56,7 +56,7 @@ function check_sid($dbh=NULL) { $q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'"; db_query($q, $dbh); - setcookie("AURSID", "", 1, "/"); + setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); unset($_COOKIE['AURSID']); } else { # still logged in and haven't reached the timeout, go ahead -- 1.7.6
participants (2)
-
Lukas Fleischer
-
Pierre Schmitz