r28034 - in /branches/upstream/libuser-simple-perl/current: Changes META.yml lib/User/Simple.pm t/User-Simple.t
gwolf at users.alioth.debian.org
gwolf at users.alioth.debian.org
Wed Dec 10 23:51:07 UTC 2008
Author: gwolf
Date: Wed Dec 10 23:51:03 2008
New Revision: 28034
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=28034
Log:
[svn-upgrade] Integrating new upstream version, libuser-simple-perl (1.42)
Modified:
branches/upstream/libuser-simple-perl/current/Changes
branches/upstream/libuser-simple-perl/current/META.yml
branches/upstream/libuser-simple-perl/current/lib/User/Simple.pm
branches/upstream/libuser-simple-perl/current/t/User-Simple.t
Modified: branches/upstream/libuser-simple-perl/current/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libuser-simple-perl/current/Changes?rev=28034&op=diff
==============================================================================
--- branches/upstream/libuser-simple-perl/current/Changes (original)
+++ branches/upstream/libuser-simple-perl/current/Changes Wed Dec 10 23:51:03 2008
@@ -1,4 +1,8 @@
Revision history for Perl extension User::Simple.
+
+1.42 Wed Dec 10 17:22:19 CST 2008
+ - Fixed a session hash predictability/clash vulnerability,
+ reported by Eugene V. Lyubimkin via Damyan Ivanov. Thanks!
1.40 Fri Jun 27 11:35:01 CDT 2008
- Bah... Why jump through that many hoops? Moving away from
Modified: branches/upstream/libuser-simple-perl/current/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libuser-simple-perl/current/META.yml?rev=28034&op=diff
==============================================================================
--- branches/upstream/libuser-simple-perl/current/META.yml (original)
+++ branches/upstream/libuser-simple-perl/current/META.yml Wed Dec 10 23:51:03 2008
@@ -1,6 +1,6 @@
---
name: User-Simple
-version: 1.40
+version: 1.42
author:
- 'Gunnar Wolf <gwolf at gwolf.org>'
abstract: Simple user sessions management
@@ -18,7 +18,7 @@
provides:
User::Simple:
file: lib/User/Simple.pm
- version: 1.40
+ version: 1.42
User::Simple::Admin:
file: lib/User/Simple/Admin.pm
generated_by: Module::Build version 0.280801
Modified: branches/upstream/libuser-simple-perl/current/lib/User/Simple.pm
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libuser-simple-perl/current/lib/User/Simple.pm?rev=28034&op=diff
==============================================================================
--- branches/upstream/libuser-simple-perl/current/lib/User/Simple.pm (original)
+++ branches/upstream/libuser-simple-perl/current/lib/User/Simple.pm Wed Dec 10 23:51:03 2008
@@ -79,7 +79,7 @@
Once the object is created, we can ask it to verify that a given user is
valid, either by checking against a session string or against a login/password
-pair::
+pair:
$ok = $usr->ck_session($session);
$ok = $usr->ck_login($login, $passwd, [$no_sess]);
@@ -171,7 +171,7 @@
use UNIVERSAL qw(isa);
our $AUTOLOAD;
-our $VERSION = '1.40';
+our $VERSION = '1.42';
######################################################################
# Constructor/destructor
@@ -306,9 +306,10 @@
$self->_debug(3, "Not touching session");
} else {
+ my $salt = _session_salt();
unless ($sth = $self->{db}->prepare("UPDATE $self->{tbl} SET
session = ? WHERE id = ?") and
- $sth->execute(md5_hex(join('-', Today_and_Now)), $id)) {
+ $sth->execute(md5_hex(join('-', $salt, Today_and_Now)), $id)) {
$self->_debug(1,'Could not create user session');
return undef;
}
@@ -516,4 +517,11 @@
}
}
+# Generates a random, printable (ASCII 46-126), 10 character long salt
+# to mix in the session generation.
+sub _session_salt {
+ join("", map { chr(rand()*78 + 46) } (0..10))
+}
+
+
1;
Modified: branches/upstream/libuser-simple-perl/current/t/User-Simple.t
URL: http://svn.debian.org/wsvn/pkg-perl/branches/upstream/libuser-simple-perl/current/t/User-Simple.t?rev=28034&op=diff
==============================================================================
--- branches/upstream/libuser-simple-perl/current/t/User-Simple.t (original)
+++ branches/upstream/libuser-simple-perl/current/t/User-Simple.t Wed Dec 10 23:51:03 2008
@@ -10,7 +10,7 @@
# change 'tests => 1' to 'tests => last_test_to_print';
-use Test::More tests => 39;
+use Test::More tests => 40;
BEGIN { use_ok('User::Simple'); use_ok('User::Simple::Admin') };
#########################
@@ -22,7 +22,7 @@
eval { $db = DBI->connect('DBI:SQLite:dbname=' .$tmp_file) };
SKIP: {
- my ($ua, $adm_id, $usr_id, $usr, $session, %users);
+ my ($ua, $adm_id, $usr_id, $usr, $session, %users, %sessions);
skip 'Not executing the complete tests: Database handler not created ' .
'(I need DBD::SQLite for this)', 37 unless $db;
@@ -138,7 +138,7 @@
# Get the user's session
ok($session = $usr->session, "Retreived the user's session");
-
+
# Try to log in with an invalid session, check that all of the data is
# cleared.
is($usr->ck_session('blah'), undef,
@@ -155,6 +155,17 @@
is($usr->login, 'user5', 'Reported login matches');
is($usr->descr, 'A new description', 'Reported descr matches');
is($usr->adm_level, 0, 'Reported adm_level matches');
+
+ # Ensure that logging in several times in a row produces different
+ # session IDs (that is, that we are not vulnerable to time-based
+ # predictability - see changelog for 1.42)
+ %sessions = ();
+ map { $usr->ck_login('user5', 'a_password');
+ $sessions{$usr->session} = $_} (1..10);
+ use YAML;print YAML::Dump %sessions;
+ is(scalar(keys %sessions), 10,
+ 'Discrepancy in the number of generated sessions - possible clash?')
+
}
unlink($tmp_file)
More information about the Pkg-perl-cvs-commits
mailing list