git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-2@4784 709f56b5-9817...
authorIngmar Schlecht <ingmar.schlecht@typo3.org>
Tue, 20 Jan 2009 11:22:26 +0000 (11:22 +0000)
committerIngmar Schlecht <ingmar.schlecht@typo3.org>
Tue, 20 Jan 2009 11:22:26 +0000 (11:22 +0000)
ChangeLog
t3lib/class.t3lib_userauth.php

index b6d717b..37432f2 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 2009-01-20  Ingmar Schlecht  <ingmar@typo3.org>
 
        * Fixed bug #10186: Time shifting (again) in datetime fields (followup to Bug#8746; thanks to Ernesto Baschny)
+       * Fixed bug #10146: Session fixation vulnerability in user authentication (thanks to the TYPO3 Security Team and especially Marcus Krause)
 
 2009-01-20  Ingo Renner  <ingo@typo3.org>
 
index 20ee380..15ce57a 100755 (executable)
@@ -225,8 +225,8 @@ class t3lib_userAuth {
                }
                $this->cookieId = $id;
 
-                       // If new session...
-               if (!$id)       {
+                       // If new session or client tries to fix session...
+               if (!$id || !$this->isExistingSessionRecord($id))       {
                                // New random session-$id is made
                $id = substr(md5(uniqid('').getmypid()),0,$this->hash_length);
                        // New session
@@ -736,6 +736,26 @@ class t3lib_userAuth {
                }
        }
 
+       /**
+        * Determine whether there's an according session record to a given session_id
+        * in the database. Don't care if session record is still valid or not.
+        *
+        * @return boolean
+        */
+       function isExistingSessionRecord($id) {
+               $count = false;
+               $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
+                                               'COUNT(ses_id)',
+                                               $this->session_table,
+                                               'ses_id=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($id, $this->session_table)
+                                       );
+               if ($dbres !== false) {
+                       list($count) = $GLOBALS['TYPO3_DB']->sql_fetch_row($dbres);
+                       $GLOBALS['TYPO3_DB']->sql_free_result($dbres);
+               }
+               return (($count ? true : false));
+       }
+
 
 
 
@@ -1266,4 +1286,4 @@ class t3lib_userAuth {
 if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_userauth.php']) {
        include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_userauth.php']);
 }
-?>
+?>
\ No newline at end of file