Commit 3a21d1d9 authored by Xavier Guimard's avatar Xavier Guimard

Backport fix for CVE-2019-12046 from 1.9 (#1744)

parent a80cd8a6
......@@ -107,6 +107,12 @@ sub BUILD {
# Load session data into object
if ($data) {
if ( $self->kind ) {
unless ( $data->{_session_kind} eq $self->kind ) {
$self->error("Session kind mistmatch");
return undef;
}
}
$self->_save_data($data);
$self->kind( $data->{_session_kind} );
$self->id( $data->{_session_id} );
......
......@@ -115,7 +115,8 @@ sub extractMailInfo {
'debug' );
# Get the corresponding session
my $mailSession = $self->getApacheSession( $self->{mail_token} );
my $mailSession =
$self->getApacheSession( $self->{mail_token}, 1, undef, "mail" );
if ($mailSession) {
$self->{mail} = $mailSession->data->{user};
......@@ -215,7 +216,7 @@ sub storeMailSession {
if ( $self->{mail_token} or $self->getMailSession( $self->{mail} ) );
# Create a new session
my $mailSession = $self->getApacheSession();
my $mailSession = $self->getApacheSession( undef, 1, undef, "mail" );
# Set _utime for session autoremove
# Use default session timeout and mail session timeout to compute it
......@@ -259,16 +260,15 @@ sub sendConfirmationMail {
# Skip this step if user clicked on the confirmation link
return PE_OK if $self->{mail_token};
# Check if confirmation mail has already been sent
my $mail_session = $self->getMailSession( $self->{mail} );
$self->{mail_already_sent} = ( $mail_session and !$self->{id} ) ? 1 : 0;
# Read mail session to get creation and expiration dates
$self->{id} = $mail_session unless $self->{id};
$self->lmLog( "Mail session found: $mail_session", 'debug' );
my $mailSession = $self->getApacheSession( $mail_session, 1 );
my $mailSession =
$self->getApacheSession( $mail_session, 1, undef, "mail" );
$self->{mailSessionTimeoutTimestamp} =
$mailSession->data->{mailSessionTimeoutTimestamp};
$self->{mailSessionStartTimestamp} =
......@@ -342,6 +342,9 @@ sub sendConfirmationMail {
return PE_MAILERROR
unless $self->send_mail( $self->{mailAddress}, $subject, $body, $html );
# Save status
$mailSession->update( { "mail_already_sent" => 1 } );
PE_MAILCONFIRMOK;
}
......@@ -384,7 +387,8 @@ sub changePassword {
if ( $result == PE_PASSWORD_OK or $result == PE_OK ) {
# Get the corresponding session
my $mailSession = $self->getApacheSession( $self->{mail_token} );
my $mailSession =
$self->getApacheSession( $self->{mail_token}, 1, undef, "mail" );
if ($mailSession) {
......
......@@ -107,8 +107,8 @@ sub extractRegisterInfo {
'debug' );
# Get the corresponding session
my $registerSession =
$self->getApacheSession( $self->{register_token} );
my $registerSession = $self->getApacheSession( $self->{register_token},
1, undef, "register" );
if ( $registerSession && $registerSession->data ) {
$self->{registerInfo}->{mail} = $registerSession->data->{mail};
......@@ -223,7 +223,8 @@ sub storeRegisterSession {
or $self->getRegisterSession( $self->{registerInfo}->{mail} ) );
# Create a new session
my $registerSession = $self->getApacheSession();
my $registerSession =
$self->getApacheSession( undef, 1, undef, "register" );
# Set _utime for session autoremove
# Use default session timeout and register session timeout to compute it
......@@ -267,17 +268,16 @@ sub sendConfirmationMail {
# Skip this step if user clicked on the confirmation link
return PE_OK if $self->{register_token};
# Check if confirmation mail has already been sent
my $register_session =
$self->getRegisterSession( $self->{registerInfo}->{mail} );
$self->{mail_already_sent} = ( $register_session and !$self->{id} ) ? 1 : 0;
# Read session to get creation and expiration dates
$self->{id} = $register_session unless $self->{id};
$self->lmLog( "Register session found: $register_session", 'debug' );
my $registerSession = $self->getApacheSession( $register_session, 1 );
my $registerSession =
$self->getApacheSession( $register_session, 1, undef, "register" );
$self->{registerInfo}->{registerSessionTimeoutTimestamp} =
$registerSession->data->{registerSessionTimeoutTimestamp};
$self->{registerInfo}->{registerSessionStartTimestamp} =
......@@ -300,7 +300,9 @@ sub sendConfirmationMail {
$self->{startMailTime} = strftime( "%H:%M", localtime $startTimestamp );
# Ask if user want another confirmation email
if ( $self->{mail_already_sent} and !$self->param('resendconfirmation') ) {
if ( $registerSession->data->{mail_already_sent}
and !$self->param('resendconfirmation') )
{
return PE_MAILCONFIRMATION_ALREADY_SENT;
}
......@@ -338,6 +340,9 @@ sub sendConfirmationMail {
unless $self->send_mail( $self->{registerInfo}->{mail}, $subject, $body,
$html );
# Save status
$registerSession->update( { "mail_already_sent" => 1 } );
PE_MAILCONFIRMOK;
}
......@@ -384,8 +389,8 @@ sub registerUser {
if ( $result == PE_OK ) {
# Get the corresponding session
my $registerSession =
$self->getApacheSession( $self->{register_token} );
my $registerSession = $self->getApacheSession( $self->{register_token},
1, undef, "register" );
if ($registerSession) {
......
......@@ -143,7 +143,7 @@ sub getMailSession {
# Browse found sessions to check if it's a mail session
foreach my $id ( keys %$sessions ) {
my $mailSession = $self->getApacheSession( $id, 1 );
my $mailSession = $self->getApacheSession( $id, 1, undef, "mail" );
next unless ($mailSession);
return $id if ( $mailSession->data->{_type} =~ /^mail$/ );
}
......@@ -168,7 +168,8 @@ sub getRegisterSession {
# Browse found sessions to check if it's a register session
foreach my $id ( keys %$sessions ) {
my $registerSession = $self->getApacheSession( $id, 1 );
my $registerSession =
$self->getApacheSession( $id, 1, undef, "register" );
next unless ($registerSession);
return $id if ( $registerSession->data->{_type} =~ /^register$/ );
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment