Skip to content

Commit

Permalink
Check session user against browser-expectation
Browse files Browse the repository at this point in the history
  • Loading branch information
ehuelsmann committed Nov 16, 2024
1 parent 6f342ce commit 8af171c
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 4 deletions.
20 changes: 18 additions & 2 deletions lib/LedgerSMB/Middleware/SessionStorage.pm
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,14 @@ use warnings;
use parent qw ( Plack::Middleware );

use Cookie::Baker;
use HTTP::Status qw( HTTP_BAD_REQUEST );
use Plack::Request;
use Plack::Util;
use Plack::Util::Accessor
qw( cookie cookie_path domain duration inner_serialize secret store force_create );
use Session::Storage::Secure;
use String::Random;
use URI;

use LedgerSMB::PSGI::Util;

Expand Down Expand Up @@ -82,12 +84,26 @@ sub call {
my ($env) = @_;
my $req = Plack::Request->new($env);

my $referer = $req->headers->header( 'referer' );
my $referer_uri = $referer ? URI->new( $referer ) : undef;
my $referer_user = $referer_uri ? $referer_uri->query_param( 'user' ) : '';
my $cookie = $req->cookies->{$self->cookie};
my $session = (not $self->force_create) ? $self->store->decode($cookie) : undef;
$session->{csrf_token} //= String::Random->new->randpattern('.' x 23);
my $session_user = $session ? $session->{login} : '';

if ($referer_user
and $session_user
and $session_user ne $referer_user) {
return [ HTTP_BAD_REQUEST,
[ 'Content-Type' => 'text/plain' ],
[ "Browser expects session for user '$referer_user', ",
"but session for user '$session_user' found" ]
];
}

my $secure = defined($env->{HTTPS}) && $env->{HTTPS} eq 'ON';
$session->{csrf_token} //= String::Random->new->randpattern('.' x 23);
$env->{'lsmb.session'} = $session;
my $secure = defined($env->{HTTPS}) && $env->{HTTPS} eq 'ON';
return Plack::Util::response_cb(
$self->app->($env), sub {
my $res = shift;
Expand Down
6 changes: 4 additions & 2 deletions lib/LedgerSMB/Scripts/login.pm
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,10 @@ This script contains the request handlers for logging in of LedgerSMB.
use strict;
use warnings;

use HTTP::Status qw( HTTP_OK );
use Digest::MD5 qw( md5_hex );
use HTTP::Status qw( HTTP_OK );
use JSON::MaybeXS;
use URI::Escape;

use LedgerSMB::PSGI::Util;

Expand Down Expand Up @@ -90,9 +91,10 @@ sub authenticate {
$request->{_req}->env->{'lsmb.session'}->{company_path} =
md5_hex( $r->{company} );
my $token = $request->{_req}->env->{'lsmb.session'}->{company_path};
my $user = uri_escape( $r->{login} );
return [ HTTP_OK,
[ 'Content-Type' => 'application/json' ],
[ qq|{ "target": "$token/erp.pl" }| ]];
[ qq|{ "target": "$token/erp.pl?user=$user" }| ]];
}


Expand Down

0 comments on commit 8af171c

Please sign in to comment.