r28036 - in /trunk/libuser-simple-perl: Changes META.yml debian/changelog lib/User/Simple.pm t/User-Simple.t
gwolf at users.alioth.debian.org
gwolf at users.alioth.debian.org
Wed Dec 10 23:55:46 UTC 2008
Author: gwolf
Date: Wed Dec 10 23:55:43 2008
New Revision: 28036
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=28036
Log:
New upstream version
Modified:
trunk/libuser-simple-perl/Changes
trunk/libuser-simple-perl/META.yml
trunk/libuser-simple-perl/debian/changelog
trunk/libuser-simple-perl/lib/User/Simple.pm
trunk/libuser-simple-perl/t/User-Simple.t
Modified: trunk/libuser-simple-perl/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libuser-simple-perl/Changes?rev=28036&op=diff
==============================================================================
--- trunk/libuser-simple-perl/Changes (original)
+++ trunk/libuser-simple-perl/Changes Wed Dec 10 23:55:43 2008
@@ -1,4 +1,8 @@
Revision history for Perl extension User::Simple.
+
+1.42 Wed Dec 10 17:22:19 CST 2008
+ - Fixed a session hash predictability/clash vulnerability,
+ reported by Eugene V. Lyubimkin via Damyan Ivanov. Thanks!
1.40 Fri Jun 27 11:35:01 CDT 2008
- Bah... Why jump through that many hoops? Moving away from
Modified: trunk/libuser-simple-perl/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libuser-simple-perl/META.yml?rev=28036&op=diff
==============================================================================
--- trunk/libuser-simple-perl/META.yml (original)
+++ trunk/libuser-simple-perl/META.yml Wed Dec 10 23:55:43 2008
@@ -1,6 +1,6 @@
---
name: User-Simple
-version: 1.40
+version: 1.42
author:
- 'Gunnar Wolf <gwolf at gwolf.org>'
abstract: Simple user sessions management
@@ -18,7 +18,7 @@
provides:
User::Simple:
file: lib/User/Simple.pm
- version: 1.40
+ version: 1.42
User::Simple::Admin:
file: lib/User/Simple/Admin.pm
generated_by: Module::Build version 0.280801
Modified: trunk/libuser-simple-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libuser-simple-perl/debian/changelog?rev=28036&op=diff
==============================================================================
--- trunk/libuser-simple-perl/debian/changelog (original)
+++ trunk/libuser-simple-perl/debian/changelog Wed Dec 10 23:55:43 2008
@@ -1,9 +1,13 @@
-libuser-simple-perl (1.40-2) UNRELEASED; urgency=low
+libuser-simple-perl (1.42-1) unstable; urgency=low
+ [ gregor herrmann ]
* debian/control: Changed: Switched Vcs-Browser field to ViewSVN
(source stanza).
+
+ [ Gunnar Wolf ]
+ * New upstream release (Closes: #508312)
- -- gregor herrmann <gregoa at debian.org> Sun, 16 Nov 2008 20:48:50 +0100
+ -- Gunnar Wolf <gwolf at debian.org> Wed, 10 Dec 2008 17:52:09 -0600
libuser-simple-perl (1.40-1) unstable; urgency=low
Modified: trunk/libuser-simple-perl/lib/User/Simple.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libuser-simple-perl/lib/User/Simple.pm?rev=28036&op=diff
==============================================================================
--- trunk/libuser-simple-perl/lib/User/Simple.pm (original)
+++ trunk/libuser-simple-perl/lib/User/Simple.pm Wed Dec 10 23:55:43 2008
@@ -79,7 +79,7 @@
Once the object is created, we can ask it to verify that a given user is
valid, either by checking against a session string or against a login/password
-pair::
+pair:
$ok = $usr->ck_session($session);
$ok = $usr->ck_login($login, $passwd, [$no_sess]);
@@ -171,7 +171,7 @@
use UNIVERSAL qw(isa);
our $AUTOLOAD;
-our $VERSION = '1.40';
+our $VERSION = '1.42';
######################################################################
# Constructor/destructor
@@ -306,9 +306,10 @@
$self->_debug(3, "Not touching session");
} else {
+ my $salt = _session_salt();
unless ($sth = $self->{db}->prepare("UPDATE $self->{tbl} SET
session = ? WHERE id = ?") and
- $sth->execute(md5_hex(join('-', Today_and_Now)), $id)) {
+ $sth->execute(md5_hex(join('-', $salt, Today_and_Now)), $id)) {
$self->_debug(1,'Could not create user session');
return undef;
}
@@ -516,4 +517,11 @@
}
}
+# Generates a random, printable (ASCII 46-126), 10 character long salt
+# to mix in the session generation.
+sub _session_salt {
+ join("", map { chr(rand()*78 + 46) } (0..10))
+}
+
+
1;
Modified: trunk/libuser-simple-perl/t/User-Simple.t
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libuser-simple-perl/t/User-Simple.t?rev=28036&op=diff
==============================================================================
--- trunk/libuser-simple-perl/t/User-Simple.t (original)
+++ trunk/libuser-simple-perl/t/User-Simple.t Wed Dec 10 23:55:43 2008
@@ -10,7 +10,7 @@
# change 'tests => 1' to 'tests => last_test_to_print';
-use Test::More tests => 39;
+use Test::More tests => 40;
BEGIN { use_ok('User::Simple'); use_ok('User::Simple::Admin') };
#########################
@@ -22,7 +22,7 @@
eval { $db = DBI->connect('DBI:SQLite:dbname=' .$tmp_file) };
SKIP: {
- my ($ua, $adm_id, $usr_id, $usr, $session, %users);
+ my ($ua, $adm_id, $usr_id, $usr, $session, %users, %sessions);
skip 'Not executing the complete tests: Database handler not created ' .
'(I need DBD::SQLite for this)', 37 unless $db;
@@ -138,7 +138,7 @@
# Get the user's session
ok($session = $usr->session, "Retreived the user's session");
-
+
# Try to log in with an invalid session, check that all of the data is
# cleared.
is($usr->ck_session('blah'), undef,
@@ -155,6 +155,17 @@
is($usr->login, 'user5', 'Reported login matches');
is($usr->descr, 'A new description', 'Reported descr matches');
is($usr->adm_level, 0, 'Reported adm_level matches');
+
+ # Ensure that logging in several times in a row produces different
+ # session IDs (that is, that we are not vulnerable to time-based
+ # predictability - see changelog for 1.42)
+ %sessions = ();
+ map { $usr->ck_login('user5', 'a_password');
+ $sessions{$usr->session} = $_} (1..10);
+ use YAML;print YAML::Dump %sessions;
+ is(scalar(keys %sessions), 10,
+ 'Discrepancy in the number of generated sessions - possible clash?')
+
}
unlink($tmp_file)
More information about the Pkg-perl-cvs-commits
mailing list