diff options
Diffstat (limited to '')
| -rw-r--r-- | src/sledjchisl/sledjchisl.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c index cdfba95..1c98575 100644 --- a/src/sledjchisl/sledjchisl.c +++ b/src/sledjchisl/sledjchisl.c | |||
| @@ -26,6 +26,7 @@ config SLEDJCHISL | |||
| 26 | 26 | ||
| 27 | // TODO - once it is event driven, periodically run things like session clean ups, self healing, and the secure.sh thing. | 27 | // TODO - once it is event driven, periodically run things like session clean ups, self healing, and the secure.sh thing. |
| 28 | // And backups off course. | 28 | // And backups off course. |
| 29 | // As well as regular database pings to keep the connection open. | ||
| 29 | 30 | ||
| 30 | #include <fcgi_config.h> | 31 | #include <fcgi_config.h> |
| 31 | #ifdef _WIN32 | 32 | #ifdef _WIN32 |
| @@ -60,6 +61,8 @@ extern char **environ; | |||
| 60 | #include <qlibc.h> | 61 | #include <qlibc.h> |
| 61 | #include <extensions/qconfig.h> | 62 | #include <extensions/qconfig.h> |
| 62 | 63 | ||
| 64 | // TODO - I should probably replace openSSL with something else. Only using it for the hash functions, and apparently it's got a bit of a bad rep. | ||
| 65 | // qLibc optionally uses openSSL for it's HTTP client stuff. | ||
| 63 | #include <openssl/crypto.h> | 66 | #include <openssl/crypto.h> |
| 64 | #include <openssl/evp.h> | 67 | #include <openssl/evp.h> |
| 65 | #include "openssl/hmac.h" | 68 | #include "openssl/hmac.h" |
| @@ -262,7 +265,7 @@ int runToy(char *argv[]) | |||
| 262 | #undef FALSE | 265 | #undef FALSE |
| 263 | #undef TRUE | 266 | #undef TRUE |
| 264 | #ifndef FALSE | 267 | #ifndef FALSE |
| 265 | // NEVER change this | 268 | // NEVER change this, true and false work to. |
| 266 | typedef enum | 269 | typedef enum |
| 267 | { | 270 | { |
| 268 | FALSE = 0, | 271 | FALSE = 0, |
| @@ -2021,6 +2024,10 @@ void santize(qhashtbl_t *tbl, bool decode) | |||
| 2021 | // if ((strcmp(n, "password") != 0) && (strcmp(n, "psswd") != 0)) | 2024 | // if ((strcmp(n, "password") != 0) && (strcmp(n, "psswd") != 0)) |
| 2022 | { | 2025 | { |
| 2023 | // Poor mans Bobby Tables protection. | 2026 | // Poor mans Bobby Tables protection. |
| 2027 | // TODO - make this reversable, especially so these things can be used in aboutMe, and come out the other end unscathed. | ||
| 2028 | // qurl_encode doesn't handle \, but does the rest. | ||
| 2029 | // So that means don't qurl_decode it, and encode \\. | ||
| 2030 | // But then I have to qurl_decode everwhere. | ||
| 2024 | o = qstrreplace("tr", o, "'", "_"); | 2031 | o = qstrreplace("tr", o, "'", "_"); |
| 2025 | o = qstrreplace("tr", o, "\"", "_"); | 2032 | o = qstrreplace("tr", o, "\"", "_"); |
| 2026 | o = qstrreplace("tr", o, ";", "_"); | 2033 | o = qstrreplace("tr", o, ";", "_"); |
| @@ -2082,7 +2089,8 @@ cookie *setCookie(reqData *Rd, char *cki, char *value) | |||
| 2082 | if (0 != l) | 2089 | if (0 != l) |
| 2083 | ret->value = qurl_encode(value, l); | 2090 | ret->value = qurl_encode(value, l); |
| 2084 | else | 2091 | else |
| 2085 | ret->value = value; | 2092 | // TODO - I'm doing something crazy again, this isn't crashing when I try to free it. Sometimes. Heisenbug? |
| 2093 | ret->value = ""; | ||
| 2086 | ret->httpOnly = TRUE; | 2094 | ret->httpOnly = TRUE; |
| 2087 | ret->site = CS_STRICT; | 2095 | ret->site = CS_STRICT; |
| 2088 | ret->secure = TRUE; | 2096 | ret->secure = TRUE; |
| @@ -2734,10 +2742,12 @@ Double cookie | |||
| 2734 | Though so far all the pages I find saying this don't say flat out say "use headers instead", though they do say "use HSTS". | 2742 | Though so far all the pages I find saying this don't say flat out say "use headers instead", though they do say "use HSTS". |
| 2735 | https://security.stackexchange.com/questions/220797/is-the-double-submit-cookie-pattern-still-effective | 2743 | https://security.stackexchange.com/questions/220797/is-the-double-submit-cookie-pattern-still-effective |
| 2736 | + Includes a work around that I might already be doing. | 2744 | + Includes a work around that I might already be doing. |
| 2745 | TODO - think it through, is it really secure against session hijacking? | ||
| 2746 | TODO - document why we redirect POST to GET, coz it's a pain in the arse, and we have to do things twice. | ||
| 2737 | 2747 | ||
| 2738 | SOOOOO - use double cookie + hidden field. | 2748 | SOOOOO - use double cookie + hidden field. |
| 2739 | No headers, coz I need JavaScript to do that. | 2749 | No headers, coz I need JavaScript to do that. |
| 2740 | No hidden field when redirecting post POST to GET, coz GOT doesn't get those. | 2750 | No hidden field when redirecting post POST to GET, coz GET doesn't get those. |
| 2741 | pepper = long pass phrase or some such stored in .sledjChisl.conf.lua, which has to be protected dvs1/opensimsc/0640 as well as the database credentials. | 2751 | pepper = long pass phrase or some such stored in .sledjChisl.conf.lua, which has to be protected dvs1/opensimsc/0640 as well as the database credentials. |
| 2742 | salt = large random value generated by a secure method (getrandom(2)). | 2752 | salt = large random value generated by a secure method (getrandom(2)). |
| 2743 | seshID = large random value generated by a secure method (getrandom(2)). | 2753 | seshID = large random value generated by a secure method (getrandom(2)). |
| @@ -2766,7 +2776,7 @@ SOOOOO - use double cookie + hidden field. | |||
| 2766 | hashish == HMACkey(toke_n_munchie + salt) | 2776 | hashish == HMACkey(toke_n_munchie + salt) |
| 2767 | + If it's too old according to mtime, delete it and logout. | 2777 | + If it's too old according to mtime, delete it and logout. |
| 2768 | 2778 | ||
| 2769 | I should make it easy to change the HMAC() function. Less important for these short lived sessions, more important for the linky URLs, most important for stared password hashes. | 2779 | I should make it easy to change the HMAC() function. Less important for these short lived sessions, more important for the linky URLs, most important for stored password hashes. |
| 2770 | Same for the pepper. | 2780 | Same for the pepper. |
| 2771 | 2781 | ||
| 2772 | The required JavaScript might be like https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#xmlhttprequest--native-javascript- | 2782 | The required JavaScript might be like https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#xmlhttprequest--native-javascript- |
| @@ -3413,6 +3423,7 @@ t("Lua %s = %s", n, (char *) obj.data); | |||
| 3413 | } | 3423 | } |
| 3414 | } | 3424 | } |
| 3415 | tnm->unlock(tnm); | 3425 | tnm->unlock(tnm); |
| 3426 | // TODO - check this. | ||
| 3416 | Rd->database->putstr(Rd->database, "UserAccounts.PrincipalID", tnm->getstr(tnm, "UUID", false)); | 3427 | Rd->database->putstr(Rd->database, "UserAccounts.PrincipalID", tnm->getstr(tnm, "UUID", false)); |
| 3417 | } | 3428 | } |
| 3418 | } | 3429 | } |