aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src/sledjchisl
diff options
context:
space:
mode:
Diffstat (limited to 'src/sledjchisl')
-rw-r--r--src/sledjchisl/sledjchisl.c19
1 files changed, 15 insertions, 4 deletions
diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c
index cdfba95..1c98575 100644
--- a/src/sledjchisl/sledjchisl.c
+++ b/src/sledjchisl/sledjchisl.c
@@ -26,6 +26,7 @@ config SLEDJCHISL
26 26
27// TODO - once it is event driven, periodically run things like session clean ups, self healing, and the secure.sh thing. 27// TODO - once it is event driven, periodically run things like session clean ups, self healing, and the secure.sh thing.
28// And backups off course. 28// And backups off course.
29// As well as regular database pings to keep the connection open.
29 30
30#include <fcgi_config.h> 31#include <fcgi_config.h>
31#ifdef _WIN32 32#ifdef _WIN32
@@ -60,6 +61,8 @@ extern char **environ;
60#include <qlibc.h> 61#include <qlibc.h>
61#include <extensions/qconfig.h> 62#include <extensions/qconfig.h>
62 63
64// TODO - I should probably replace openSSL with something else. Only using it for the hash functions, and apparently it's got a bit of a bad rep.
65// qLibc optionally uses openSSL for it's HTTP client stuff.
63#include <openssl/crypto.h> 66#include <openssl/crypto.h>
64#include <openssl/evp.h> 67#include <openssl/evp.h>
65#include "openssl/hmac.h" 68#include "openssl/hmac.h"
@@ -262,7 +265,7 @@ int runToy(char *argv[])
262#undef FALSE 265#undef FALSE
263#undef TRUE 266#undef TRUE
264#ifndef FALSE 267#ifndef FALSE
265// NEVER change this 268// NEVER change this, true and false work to.
266typedef enum 269typedef enum
267{ 270{
268 FALSE = 0, 271 FALSE = 0,
@@ -2021,6 +2024,10 @@ void santize(qhashtbl_t *tbl, bool decode)
2021// if ((strcmp(n, "password") != 0) && (strcmp(n, "psswd") != 0)) 2024// if ((strcmp(n, "password") != 0) && (strcmp(n, "psswd") != 0))
2022 { 2025 {
2023 // Poor mans Bobby Tables protection. 2026 // Poor mans Bobby Tables protection.
2027// TODO - make this reversable, especially so these things can be used in aboutMe, and come out the other end unscathed.
2028// qurl_encode doesn't handle \, but does the rest.
2029// So that means don't qurl_decode it, and encode \\.
2030// But then I have to qurl_decode everwhere.
2024 o = qstrreplace("tr", o, "'", "_"); 2031 o = qstrreplace("tr", o, "'", "_");
2025 o = qstrreplace("tr", o, "\"", "_"); 2032 o = qstrreplace("tr", o, "\"", "_");
2026 o = qstrreplace("tr", o, ";", "_"); 2033 o = qstrreplace("tr", o, ";", "_");
@@ -2082,7 +2089,8 @@ cookie *setCookie(reqData *Rd, char *cki, char *value)
2082 if (0 != l) 2089 if (0 != l)
2083 ret->value = qurl_encode(value, l); 2090 ret->value = qurl_encode(value, l);
2084 else 2091 else
2085 ret->value = value; 2092// TODO - I'm doing something crazy again, this isn't crashing when I try to free it. Sometimes. Heisenbug?
2093 ret->value = "";
2086 ret->httpOnly = TRUE; 2094 ret->httpOnly = TRUE;
2087 ret->site = CS_STRICT; 2095 ret->site = CS_STRICT;
2088 ret->secure = TRUE; 2096 ret->secure = TRUE;
@@ -2734,10 +2742,12 @@ Double cookie
2734 Though so far all the pages I find saying this don't say flat out say "use headers instead", though they do say "use HSTS". 2742 Though so far all the pages I find saying this don't say flat out say "use headers instead", though they do say "use HSTS".
2735 https://security.stackexchange.com/questions/220797/is-the-double-submit-cookie-pattern-still-effective 2743 https://security.stackexchange.com/questions/220797/is-the-double-submit-cookie-pattern-still-effective
2736+ Includes a work around that I might already be doing. 2744+ Includes a work around that I might already be doing.
2745TODO - think it through, is it really secure against session hijacking?
2746TODO - document why we redirect POST to GET, coz it's a pain in the arse, and we have to do things twice.
2737 2747
2738SOOOOO - use double cookie + hidden field. 2748SOOOOO - use double cookie + hidden field.
2739 No headers, coz I need JavaScript to do that. 2749 No headers, coz I need JavaScript to do that.
2740 No hidden field when redirecting post POST to GET, coz GOT doesn't get those. 2750 No hidden field when redirecting post POST to GET, coz GET doesn't get those.
2741 pepper = long pass phrase or some such stored in .sledjChisl.conf.lua, which has to be protected dvs1/opensimsc/0640 as well as the database credentials. 2751 pepper = long pass phrase or some such stored in .sledjChisl.conf.lua, which has to be protected dvs1/opensimsc/0640 as well as the database credentials.
2742 salt = large random value generated by a secure method (getrandom(2)). 2752 salt = large random value generated by a secure method (getrandom(2)).
2743 seshID = large random value generated by a secure method (getrandom(2)). 2753 seshID = large random value generated by a secure method (getrandom(2)).
@@ -2766,7 +2776,7 @@ SOOOOO - use double cookie + hidden field.
2766 hashish == HMACkey(toke_n_munchie + salt) 2776 hashish == HMACkey(toke_n_munchie + salt)
2767+ If it's too old according to mtime, delete it and logout. 2777+ If it's too old according to mtime, delete it and logout.
2768 2778
2769I should make it easy to change the HMAC() function. Less important for these short lived sessions, more important for the linky URLs, most important for stared password hashes. 2779I should make it easy to change the HMAC() function. Less important for these short lived sessions, more important for the linky URLs, most important for stored password hashes.
2770 Same for the pepper. 2780 Same for the pepper.
2771 2781
2772The required JavaScript might be like https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#xmlhttprequest--native-javascript- 2782The required JavaScript might be like https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#xmlhttprequest--native-javascript-
@@ -3413,6 +3423,7 @@ t("Lua %s = %s", n, (char *) obj.data);
3413 } 3423 }
3414 } 3424 }
3415 tnm->unlock(tnm); 3425 tnm->unlock(tnm);
3426// TODO - check this.
3416 Rd->database->putstr(Rd->database, "UserAccounts.PrincipalID", tnm->getstr(tnm, "UUID", false)); 3427 Rd->database->putstr(Rd->database, "UserAccounts.PrincipalID", tnm->getstr(tnm, "UUID", false));
3417 } 3428 }
3418 } 3429 }