The Sacred Lawn...

mrdale · 2011-06-15 14:53:26

Bloke wrote:

Disabling ign_pw_protect makes the problem go away.
Solution: use rvm_privileged over ign_password_protect. It’s the connoisseur’s choice.

Thanks for sleuthing that out big stef. Yeoman’s work. Now can you tell me why I can’t install my xerox drivers on Snow Leopard?

Actually We use ign pretty extensively for the front side login system, which I’m not sure rvm could handle. I might just have to adjust my workflow till I figure something else out.

muchas gracias

Last edited by mrdale (2011-06-15 14:54:11)

Manfre · 2011-06-15 14:55:12

Does rvm_privileged provide a mechanism for users to log in to only the public side of the site? E.g. privs None.

Bloke · 2011-06-15 15:05:04

Manfre wrote:

Does rvm_privileged provide a mechanism for users to log in to only the public side of the site?

No. We tend to get round it by directing people to the admin side for login, and then dumping them to a dashboard page or auto-redirecting them back to the public side.

With the new plugin I just installed on mrdale’s site you can create a new user group level and/or make your own priv areas so public registered accounts can get that level by default. You can clamp down the privs on that group so they can see almost nothing on the admin side apart from maybe a single dashboard tab.

Last edited by Bloke (2011-06-15 15:05:23)

igner · 2011-06-15 15:08:31

Bloke wrote:

And the winner is… ign_password_frigging_protect.

Sure enough — for reasons best known to igner — every time ign_pw_protect runs and it validates someone, it regenerates the nonce and stores it. Boooooom!

You’re giving me way too much credit, Stef. I’m not sure I know the reasons at this point.

I can safely say that at one point there was a reason for recreating the nonce every time (seems to me it was necessary after some changes to the TXP authentication process several releases back).

Would that I had more time to spend on TXP (read “any time to spend on TXP”), but that’s just not the case right now.

Last edited by igner (2011-06-15 15:09:02)

Manfre · 2011-06-15 15:26:29

The easiest solution is to turn of the csrf protection until txp provides a better mechanism for handing public side logins.

In “/textpattern/lib/txplib_misc.php” find ‘get_off_my_lawn’ and comment out that line and add “return true;” as the next line.

// This place ain't no good for you, son.
die(gTxt('get_off_my_lawn', array('{event}' => $event, '{step}' => $step)));

Turns in to

// This place ain't no good for you, son.
//die(gTxt('get_off_my_lawn', array('{event}' => $event, '{step}' => $step)));
return true;

Last edited by Manfre (2011-06-15 15:27:47)

Bloke · 2011-06-15 15:41:46

Manfre wrote:

The easiest solution is to turn of the csrf protection

Bit drastic given the risks. Isn’t the easiest solution to comment out the code in ign_password_protect that regenerates the nonce? Shouldn’t be necessary any longer. From my cursory exam it looks like ign_update_access() is a good starting point.

igner wrote:

I’m not sure I know the reasons at this point

Hehehe, that’s fair enough. The code gave me a headache when I tried to figure it out before. But hey, my own code gives me a headache if I come back to it after a few months’ break :-)

wet · 2011-06-15 19:19:58

Bloke wrote:

From my cursory exam it looks like ign_update_access() is a good starting point.

// -------------------------------------------------------------
 function ign_update_access($acct)
 {
     global $ign_pp_updated, $ign_user, $ign_user_db;

     if (!$ign_pp_updated) { //update last access if necessary
         if(!empty($_COOKIE['ign_login']))
         {
             list(,,,,$cookie_time) = ign_getCookie();
             if(strtotime($acct['last_access'])-strtotime($cookie_time) > 60) ign_setCookie($acct);
         }
         $safe_user = strtr(addslashes($ign_user),array('_' => '\_', '%' => '\%'));
         safe_update($ign_user_db, "last_access = now()", "name = '$safe_user'");
         $ign_pp_updated = true;
     }
 }

Where, oh where shall I look? For what it’s worth, I cannot locate any write access to nonce throughout the whole public tags’ code. Version 0.5b9, that is.

Bloke · 2011-06-15 21:11:50

wet wrote:

Where, oh where shall I look?

Maybe v0.6 — the version running on mrdale’s server — is radically different from 0.5b9 then. You’re right that ign_update_access() might have been a premature hint; on closer inspection it appears the function that does the deed is ign_setCookie(). In this version we have:

if (txpinterface == 'public') {
...
 //fire off validation routine, since most functionality is dependent on it:
 $ign_err = ign_doTxpValidate();
}

So that calls ign_doTxpValidate() on every public hit. In that function, we have this snippet:

if($ign_user_db == 'txp_users' && isset($_COOKIE['txp_login_public'])) {
    // smd: i.e. logged in, cookie set
    $name = substr(cs('txp_login_public'), 10);
    $u = is_logged_in($name);
    if($u) {
        $acct = safe_row('name, privs, realname, nonce, last_access, email', $ign_user_db, "name='{$u['name']}'");
        if(cs('ign_stay')) {
            if(!ign_setCookie($acct, $now)) return 3;
        } else {
            if(!ign_setCookie($acct, NULL)) return 3;
        }
        $GLOBALS['ign_user'] = $u['name'];
        ign_update_access($acct); // smd: this fn also calls ign_setCookie under certain conditions
        return 0;
    }
}

And in ign_setCookie():

if($ign_user_db == 'txp_users') {
...
        $nonce  = md5($name.pack('H*',$c_hash));
        // smd: blammo!
        safe_update(
          'txp_users',
          "nonce = '".doSlash($nonce)."'",
          "name = '".doSlash($name)."'"
        );

Not sure if that’s quite right as I’ve not traced the logic through fully (my head hurts!) but I believe ign_setCookie() is being called every public access attempt which may account for the new nonce being generated. As I say, I’ve not looked in 0.5b9 so I don’t know how different this version is.

wet · 2011-06-15 21:16:21

Bloke wrote:

As I say, I’ve not looked in 0.5b9 so I don’t know how different this version is.

Sufficiently different:

// -------------------------------------------------------------
 function ign_setCookie($acct, $time=false, $path='/')
 {
	 extract(lAtts(array(
		 'name' => '',
		 'realname' => '',
		 'last_access' => '',
		 'nonce' => '',
		 'privs' => '',
		 'email' => ''
		 ), $acct, 0)
	 );

	 if(empty($name))
	 {
		 return false;
	 }

	 $o[] = urlencode($name);
	 $o[] = urlencode($privs);
	 $o[] = urlencode($realname);
	 $o[] = urlencode(md5($name.$privs.$nonce));
	 $o[] = urlencode($last_access);
	 $o[] = urlencode($email);

	 $val = join(',', $o);

	 $d = explode('.', $_SERVER['HTTP_HOST']);
	 // $domain = '.'.join('.', array_slice($d, 1-count($d), count($d)-1));
	$domain = ign_getDomain();

	 setcookie('ign_login', $val, $time, $path, $domain);
	 $_COOKIE['ign_login'] = $val; //manually set value so cookie is available immediately

	 return true;
 }

No blammo here. I think we have a winner.

Gocom · 2011-06-15 22:12:46

Bloke wrote:

Bit drastic given the risks. Isn’t the easiest solution to comment out the code in ign_password_protect that regenerates the nonce? Shouldn’t be necessary any longer. From my cursory exam it looks like ign_update_access() is a good starting point.

How isn’t it necessary? We need some method of knowing who is logged in if anything. We can’t just turn off the regeneration of nonce from the public side login. That would give anyone that gets the cookie (mind me, the cookie that would always stay same) access to everything. By effectively knowing how is logged in (yes, something that works with multi-site installs), we could generate the nonce only when it doesn’t effect the admin-side login.

Bloke · 2011-06-15 22:35:00

Gocom wrote:

we could generate the nonce only when it doesn’t effect the admin-side login.

That would make sense. At the moment it appears to be generating a new nonce every time someone visits a public page which trashes the admin side security. Perhaps if ign_pw_protect was session-based…

Mind you, I don’t really know how igner’s voodoo works. Need cola.

Last edited by Bloke (2011-06-15 22:37:54)

wet · 2011-06-16 04:27:00

Gocom wrote:

…we could generate the nonce only when it doesn’t effect the admin-side login.

Thou shalt not fiddle with our nonce.

igner · 2011-06-16 16:47:46

Once upon a time, said nonce-fiddling was the only option.

That being said, rather than resetting the nonce, I can probably grab the hash from the existing nonce in the case is_logged_in() returns a valid user; to be honest I’m not sure why I didn’t do that in the first place, except perhaps laziness.

On a side note – what’s the value in stripping the nonce from the user object that is_logged_in() returns? It’s not as though anyone who has access to call is_logged_in() couldn’t then do a lookup to get the nonce?

igner · 2011-06-16 17:03:46

oh, wait. that’s why I didn’t – because the nonce is a one-way hash, so I can’t get the hash. So it’d be feasible to rework a number of the validation routines to leverage is_logged_in() to avoid resetting the nonce in the case that there’s a valid admin session for that user.

Sigh.

Manfre · 2011-06-17 04:14:02

Bloke wrote:

Maybe v0.6 — the version running on mrdale’s server — is radically different from 0.5b9 then.

0.5b11c was the most recent version I found before updating it so that it once again allowed public side logins for txp 4.4. The always updating nonce was added in commit 20e0b2cc0040fc271e90

Textpattern CMS

Textpattern CMS support forum

#16 2011-06-15 14:53:26

Re: The Sacred Lawn...

#17 2011-06-15 14:55:12

Re: The Sacred Lawn...

#18 2011-06-15 15:05:04

Re: The Sacred Lawn...

#19 2011-06-15 15:08:31

Re: The Sacred Lawn...

#20 2011-06-15 15:26:29

Re: The Sacred Lawn...

#21 2011-06-15 15:41:46

Re: The Sacred Lawn...

#22 2011-06-15 19:19:58

Re: The Sacred Lawn...

#23 2011-06-15 21:11:50

Re: The Sacred Lawn...

#24 2011-06-15 21:16:21

Re: The Sacred Lawn...

#25 2011-06-15 22:12:46

Re: The Sacred Lawn...

#26 2011-06-15 22:35:00

Re: The Sacred Lawn...

#27 2011-06-16 04:27:00

Re: The Sacred Lawn...

#28 2011-06-16 16:47:46

Re: The Sacred Lawn...

#29 2011-06-16 17:03:46

Re: The Sacred Lawn...

#30 2011-06-17 04:14:02

Re: The Sacred Lawn...

Board footer