From 102e4840b3bc11cc84a0ecb784190e7501277ac4 Mon Sep 17 00:00:00 2001 From: Derrell Lipman Date: Fri, 5 Jan 2007 19:29:45 +0000 Subject: r20559: Web Application Framework - Disallow, for now, any ScriptTransport access. A serious security issue has been described, and since we don't currently need it for anything, disable it completely. - Continued clean-up towards implementing the common authentication code (This used to be commit 07817a5489dd8cc6c85c10116f4dba43d798ef03) --- services/json_auth.esp | 8 +++++++- services/request.esp | 15 +++++++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) (limited to 'services') diff --git a/services/json_auth.esp b/services/json_auth.esp index 2d58b6e2af..0fdd98037d 100644 --- a/services/json_auth.esp +++ b/services/json_auth.esp @@ -1,7 +1,13 @@ <% /* Return true to allow access; false otherwise */ -function json_authenticate(serviceComponents, method) +function json_authenticate(serviceComponents, method, scriptTransportId) { + // Don't allow any access via ScriptTransport, for now. + if (scriptTransportId != jsonrpc.Constant.ScriptTransport.NotInUse) + { + return false; + } + return true; } diff --git a/services/request.esp b/services/request.esp index 1b33b61964..6f7e61e6e4 100644 --- a/services/request.esp +++ b/services/request.esp @@ -292,6 +292,8 @@ if (request["REQUEST_METHOD"] == "POST" && } else if (request["REQUEST_METHOD"] == "GET" && form["_ScriptTransport_id"] != undefined && + form["_ScriptTransport_id"] != + jsonrpc.Constant.ScriptTransport.NotInUse && form["_ScriptTransport_data"] != undefined) { /* We have what looks like a valid ScriptTransport request */ @@ -455,8 +457,17 @@ if (! valid) return; } -/* Ensure the logged-in user is allowed to issue the requested method */ -if (! json_authenticate(serviceComponents, jsonInput.method)) +/* + * Ensure the logged-in user is allowed to issue the requested method. We + * provide the scriptTransportId as one of the determining factors because + * accepting requests via ScriptTransport is dangerous. Only methods which + * one might allow when unauthenticated should be allowed via ScriptTransport + * as it is easy for a rogue site to trick a user into bypassing + * authentication. + */ +if (! json_authenticate(serviceComponents, + jsonInput.method, + scriptTransportId)) { error.setError(jsonrpc.Constant.ErrorCode.PermissionDenied, "Permission denied"); -- cgit