Skip to content

Commit 57e0bdf

Browse files
AenBleiddAenBleidd
authored
Merge pull request #5962 from BOINC/dpa_consent
fix vulnerability in yucky consent code
2 parents f02a114 + 8e564fa commit 57e0bdf

File tree

2 files changed

+30
-21
lines changed

2 files changed

+30
-21
lines changed

html/inc/consent.inc

+20-12
Original file line numberDiff line numberDiff line change
@@ -23,12 +23,14 @@ require_once("../inc/util.inc");
2323

2424
define('CONSENT_TYPE_ENROLL','ENROLL');
2525

26-
// Utility function to check the terms of use.
2726
function check_termsofuse() {
2827
return defined('TERMSOFUSE_FILE') and file_exists(TERMSOFUSE_FILE);
2928
}
3029

31-
function consent_to_a_policy($user, $consent_type_id, $consent_flag, $consent_not_required, $source, $ctime = 0) {
30+
function consent_to_a_policy(
31+
$user, $consent_type_id, $consent_flag, $consent_not_required,
32+
$source, $ctime = 0
33+
) {
3234
$mys = BoincDb::escape_string($source);
3335
if ($ctime==0) {
3436
$mytime = $user->create_time;
@@ -54,12 +56,13 @@ function check_user_consent($user, $consent_name) {
5456
return FALSE;
5557
}
5658

57-
// Checks to see if a particular consent_type name is in
58-
// available. Returns an array of format: (BOOLEAN, INTEGER). The
59-
// boolean is T/F depending on whether that consent_type exists, and
60-
// if checkenabled=TRUE, if the consent_type is enabled/available for
61-
// use. The integer is the consent_type_id- the id from consent_type
62-
// table. If the boolean is FALSE, the integer returned is -1.
59+
// Check if a particular consent_type name is available.
60+
// Returns an array of format: (BOOLEAN, INTEGER).
61+
// The boolean is T/F depending on whether that consent_type exists,
62+
// and if checkenabled=TRUE, if the consent_type is enabled/available for use.
63+
// The integer is the consent_type_id- the id from consent_type table.
64+
// If the boolean is FALSE, the integer returned is -1.
65+
//
6366
function check_consent_type($name, $checkenabled=TRUE) {
6467
$ct = BoincConsentType::lookup("shortname = '{$name}'");
6568
if ($ct and ( !$checkenabled or ($ct->enabled)) ) {
@@ -68,13 +71,18 @@ function check_consent_type($name, $checkenabled=TRUE) {
6871
return array(FALSE, -1);
6972
}
7073

71-
// When a user uses the Web site to login, this funtion checks the
72-
// ENROLL consent and intercepts the login, presenting the terms of
73-
// use page Web form before they can continue.
74+
// When a user uses the Web site to login, this function checks the
75+
// ENROLL consent and intercepts the login,
76+
// presenting the terms of use page Web form before they can continue.
77+
//
7478
function intercept_login($user, $perm, $in_next_url = "") {
7579
list($checkct, $ctid) = check_consent_type(CONSENT_TYPE_ENROLL);
7680
$config = get_config();
77-
if ( parse_bool($config, "enable_login_mustagree_termsofuse") and $checkct and check_termsofuse() and (!check_user_consent($user, CONSENT_TYPE_ENROLL))) {
81+
if (parse_bool($config, "enable_login_mustagree_termsofuse")
82+
and $checkct
83+
and check_termsofuse()
84+
and (!check_user_consent($user, CONSENT_TYPE_ENROLL))
85+
) {
7886
// sent user to terms-of-use Web form after login
7987
$mytoken = create_token($user->id, TOKEN_TYPE_LOGIN_INTERCEPT, TOKEN_DURATION_TWO_HOURS);
8088
send_cookie('logintoken', $mytoken, false);

html/user/user_agreetermsofuse_action.php

+10-9
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@
2525
require_once("../inc/consent.inc");
2626

2727
if (empty($_POST)) {
28-
error_page(tra("Website error when attempting to agree to terms of use. Please contact the site administrators."));
28+
error_page("Missing args");
2929
}
3030

3131
// Get the next url from POST
@@ -36,23 +36,25 @@
3636
$next_url = HOME_PAGE;
3737
}
3838

39-
// validate checkbox
4039
$agree = post_str("agree_to_terms_of_use", true);
4140
if (!$agree) {
42-
error_page(tra("You have not agreed to our terms of use. You may not continue until you do so."));
41+
error_page(tra("Agree to terms of use to continue."));
4342
}
4443

4544
// Obtain data from cookies
4645
if (isset($_COOKIE['logintoken'])) {
4746
$logintoken = $_COOKIE['logintoken'];
4847
} else {
49-
error_page(tra("Website error when attempting to agree to terms of use."));
48+
error_page("Missing arg");
5049
}
5150

5251
if (isset($_COOKIE['tempuserid'])) {
5352
$userid = $_COOKIE['tempuserid'];
53+
if (filter_var($userid, FILTER_VALIDATE_INT) === false) {
54+
error_page("Bad arg");
55+
}
5456
} else {
55-
error_page(tra("Website error when attempting to agree to terms of use. Please contact the site administrators."));
57+
error_page("Missing arg");
5658
}
5759

5860
if (isset($_COOKIE['tempperm'])) {
@@ -66,22 +68,21 @@
6668
// misuse of the token.
6769
if (!is_valid_token($userid, $logintoken, TOKEN_TYPE_LOGIN_INTERCEPT)) {
6870
delete_token($userid, $logintoken, TOKEN_TYPE_LOGIN_INTERCEPT);
69-
error_page(tra("Authentication error attempting to agree to terms of use."));
71+
error_page("Invalid token");
7072
}
7173
delete_token($userid, $logintoken, TOKEN_TYPE_LOGIN_INTERCEPT);
7274

7375
$user = BoincUser::lookup_id_nocache($userid);
7476
$authenticator = $user->authenticator;
7577

76-
// Set CONSENT_TYPE_ENROLL in database.
7778
list($checkct, $ctid) = check_consent_type(CONSENT_TYPE_ENROLL);
7879
if ($checkct) {
7980
$rc1 = consent_to_a_policy($user, $ctid, 1, 0, 'Webform', time());
8081
if (!$rc1) {
81-
error_page("Database error when attempting to INSERT into table consent with ID=$user->id. " . BoincDb::error() . " Please contact site administrators.");
82+
error_page("Database error");
8283
}
8384
} else {
84-
error_page("Error: consent type for enrollment not found. Please contact site administrators.");
85+
error_page("Consent type not found");
8586
}
8687

8788

0 commit comments

Comments
 (0)