[interchange-cvs] interchange - heins modified lib/Vend/UserDB.pm
interchange-cvs at icdevgroup.org
interchange-cvs at icdevgroup.org
Fri Apr 16 11:51:51 EDT 2004
User: heins
Date: 2004-04-16 15:51:50 GMT
Modified: lib/Vend UserDB.pm
Log:
* Fix security hole. A user, should they be able to execute embedded Perl,
could do
delete $Config->{AdminUserDB};
and then log in as an admin.
No known exploits, just from a code read. There is still a hole, as
we need to set some of these values read-only, but this will help.
Revision Changes Path
2.28 +3 -7 interchange/lib/Vend/UserDB.pm
rev 2.28, prev_rev 2.27
Index: UserDB.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/UserDB.pm,v
retrieving revision 2.27
retrieving revision 2.28
diff -u -r2.27 -r2.28
--- UserDB.pm 1 Mar 2004 05:59:07 -0000 2.27
+++ UserDB.pm 16 Apr 2004 15:51:50 -0000 2.28
@@ -1,6 +1,6 @@
# Vend::UserDB - Interchange user database functions
#
-# $Id: UserDB.pm,v 2.27 2004/03/01 05:59:07 mheins Exp $
+# $Id: UserDB.pm,v 2.28 2004/04/16 15:51:50 mheins Exp $
#
# Copyright (C) 2002-2003 Interchange Development Group
# Copyright (C) 1996-2002 Red Hat, Inc.
@@ -17,7 +17,7 @@
package Vend::UserDB;
-$VERSION = substr(q$Revision: 2.27 $, 10);
+$VERSION = substr(q$Revision: 2.28 $, 10);
use vars qw!
$VERSION
@@ -1716,11 +1716,7 @@
return undef;
}
if ($status = $user->login(%options) ) {
- if(
- ! $Vend::Cfg->{AdminUserDB} or
- $Vend::Cfg->{AdminUserDB}{$user->{PROFILE}}
- )
- {
+ if( $Vend::Cfg->{AdminUserDB}{$user->{PROFILE}} ) {
$Vend::admin = 1;
}
undef $Vend::Cookie;
More information about the interchange-cvs
mailing list