Closed Bug 300093 Opened 19 years ago Closed 19 years ago

index.cgi remains unsecure when the SSL parameter is set to "authenticated sessions"

Categories

(Bugzilla :: User Accounts, defect)

Product:
Bugzilla
Component:
User Accounts
Version:
2.19.3
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.20

People

(Reporter: LpSolit, Assigned: LpSolit)

Details

Attachments

(1 file, 2 obsolete files)

patch, v3
1.44 KB, patch
justdave
: review+
Details | Diff | Splinter Review 
Bug 165075 implemented the ability to log in from the home page index.cgi. When
the "ssl" parameter is set to "authenticated sessions", all login pages should
be secured. But index.cgi isn't.

Note: index.cgi behaves as expected when the "ssl" parameter is set to "always".
Flags: blocking2.20?
Target Milestone: --- → Bugzilla 2.20
See http://www.squarefree.com/2005/05/28/banks-and-https/ for more information
on this.
Flags: blocking2.20? → blocking2.20+
Bugzilla/CGI.pm, line 57:

    # Redirect to SSL if required
    if (Param('sslbase') ne '' and Param('ssl') eq 'always') {
        $self->require_https(Param('sslbase'));
    }


I think this is the right place to add index.cgi if Param('ssl') eq
'authenticated sessions'. How does CGI.pm get the file name being called?

> I think this is the right place to add index.cgi if Param('ssl') eq
> 'authenticated sessions'.

rather than adding a filename check to CGI, i think it would be better to add
sslbase to the form if required - login.html.tmpl and login-small.html.tmpl.

> How does CGI.pm get the file name being called?

it doesn't, but $cgi->script_name is what you're after.
Attached patch v1 (obsolete) — Splinter Review 
updates login-small to use sslbase if required

note that cgi.script_name returns the full virtual path to the file, so we need
to use basename to grab just the filename.
Assignee: user-accounts → bugzilla
Status: NEW → ASSIGNED
Attachment #189007 - Flags: review?
Whiteboard: [patch awaiting review]
Comment on attachment 189007 [details] [diff] [review]
v1

>Index: Bugzilla/Template.pm

>+            # File::Basename::basename wrapper
>+            'basename' => sub { return (fileparse(@_[0]))[0]; },

When running checksetup.pl (yes, checksetup, not runtests!), a warning is
displayed:
Scalar value @_[0] better written as $_[0] at Bugzilla/Template.pm line 427.


>Index: template/en/default/account/auth/login-small.html.tmpl

>-<form name="login" action="[% cgi.script_name FILTER html %]" method="POST">
>+[% IF Param('ssl') == 'authenticated sessions' %]
>+  <form name="login" action="[% Param('sslbase') FILTER html %][% basename(cgi.script_name) FILTER html %]" method="POST">
>+[% ELSE %]
>+  <form name="login" action="[% cgi.script_name FILTER html %]" method="POST">
>+[% END %]

This is not the right fix. CGI.pm actually redirects you to the https:// URL
when required. But index.cgi itself remains unsecure and is then untrustable
when filling the login form.
Attachment #189007 - Flags: review? → review-
Attached patch patch, v2 (obsolete) — Splinter Review 
glob seems busy these days. Taking!
Assignee: bugzilla → LpSolit
Attachment #189007 - Attachment is obsolete: true
Attachment #191629 - Flags: review?(justdave)
Severity: normal → major
Comment on attachment 191629 [details] [diff] [review]
patch, v2

mkanat, have you time to review this blocker?
Attachment #191629 - Flags: review?(mkanat)
Comment on attachment 191629 [details] [diff] [review]
patch, v2

>Index: index.cgi
>+# Force to use HTTPS unless Param('ssl') equals 'never'.
>+# This is required because the user may want to log in from here.
>+if (Param('sslbase') ne '' and Param('ssl') ne 'never') {
>+    $cgi->require_https(Param('sslbase'));
>+}

I wonder if we should document this somewhere...  If someone edits their login
page so it doesn't have the login form anymore, they might want to remove this
requirement. (not necessarily part of this bug, just thinking out loud). 
Although, maybe we should make it easy to change, i.e. put both "if" statements
in there, and comment out one of them, so that they can easily toggle which one
is commented out...

>-        <a href="[% Param('urlbase') %]">Home</a> | 
>+        <a href="index.cgi">Home</a> | 

The user should never need to know that index.cgi exists.  We can use href="./"
Attachment #191629 - Flags: review?(mkanat)
Attachment #191629 - Flags: review?(justdave)
Attachment #191629 - Flags: review-
Whiteboard: [patch awaiting review] → bug awaiting patch
Attached patch patch, v3Splinter Review 
replace index.cgi by ./
Attachment #191629 - Attachment is obsolete: true
Attachment #192146 - Flags: review?(justdave)
Whiteboard: bug awaiting patch → [patch awaiting review]
Attachment #192146 - Flags: review?(justdave) → review+
Flags: approval2.20+
Flags: approval+
Whiteboard: [patch awaiting review] → [patch awaiting checkin]
tip:

Checking in index.cgi;
/cvsroot/mozilla/webtools/bugzilla/index.cgi,v  <--  index.cgi
new revision: 1.15; previous revision: 1.14
done
Checking in template/en/default/global/useful-links.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/global/useful-links.html.tmpl,v
 <--  useful-links.html.tmpl
new revision: 1.41; previous revision: 1.40
done


2.20rc2:

Checking in index.cgi;
/cvsroot/mozilla/webtools/bugzilla/index.cgi,v  <--  index.cgi
new revision: 1.13.10.1; previous revision: 1.13
done
Checking in template/en/default/global/useful-links.html.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/global/useful-links.html.tmpl,v
 <--  useful-links.html.tmpl
new revision: 1.39.2.1; previous revision: 1.39
done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Whiteboard: [patch awaiting checkin]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: