diff options
Diffstat (limited to 'src/sledjchisl')
-rw-r--r-- | src/sledjchisl/sledjchisl.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c index cdfba95..1c98575 100644 --- a/src/sledjchisl/sledjchisl.c +++ b/src/sledjchisl/sledjchisl.c | |||
@@ -26,6 +26,7 @@ config SLEDJCHISL | |||
26 | 26 | ||
27 | // TODO - once it is event driven, periodically run things like session clean ups, self healing, and the secure.sh thing. | 27 | // TODO - once it is event driven, periodically run things like session clean ups, self healing, and the secure.sh thing. |
28 | // And backups off course. | 28 | // And backups off course. |
29 | // As well as regular database pings to keep the connection open. | ||
29 | 30 | ||
30 | #include <fcgi_config.h> | 31 | #include <fcgi_config.h> |
31 | #ifdef _WIN32 | 32 | #ifdef _WIN32 |
@@ -60,6 +61,8 @@ extern char **environ; | |||
60 | #include <qlibc.h> | 61 | #include <qlibc.h> |
61 | #include <extensions/qconfig.h> | 62 | #include <extensions/qconfig.h> |
62 | 63 | ||
64 | // TODO - I should probably replace openSSL with something else. Only using it for the hash functions, and apparently it's got a bit of a bad rep. | ||
65 | // qLibc optionally uses openSSL for it's HTTP client stuff. | ||
63 | #include <openssl/crypto.h> | 66 | #include <openssl/crypto.h> |
64 | #include <openssl/evp.h> | 67 | #include <openssl/evp.h> |
65 | #include "openssl/hmac.h" | 68 | #include "openssl/hmac.h" |
@@ -262,7 +265,7 @@ int runToy(char *argv[]) | |||
262 | #undef FALSE | 265 | #undef FALSE |
263 | #undef TRUE | 266 | #undef TRUE |
264 | #ifndef FALSE | 267 | #ifndef FALSE |
265 | // NEVER change this | 268 | // NEVER change this, true and false work to. |
266 | typedef enum | 269 | typedef enum |
267 | { | 270 | { |
268 | FALSE = 0, | 271 | FALSE = 0, |
@@ -2021,6 +2024,10 @@ void santize(qhashtbl_t *tbl, bool decode) | |||
2021 | // if ((strcmp(n, "password") != 0) && (strcmp(n, "psswd") != 0)) | 2024 | // if ((strcmp(n, "password") != 0) && (strcmp(n, "psswd") != 0)) |
2022 | { | 2025 | { |
2023 | // Poor mans Bobby Tables protection. | 2026 | // Poor mans Bobby Tables protection. |
2027 | // TODO - make this reversable, especially so these things can be used in aboutMe, and come out the other end unscathed. | ||
2028 | // qurl_encode doesn't handle \, but does the rest. | ||
2029 | // So that means don't qurl_decode it, and encode \\. | ||
2030 | // But then I have to qurl_decode everwhere. | ||
2024 | o = qstrreplace("tr", o, "'", "_"); | 2031 | o = qstrreplace("tr", o, "'", "_"); |
2025 | o = qstrreplace("tr", o, "\"", "_"); | 2032 | o = qstrreplace("tr", o, "\"", "_"); |
2026 | o = qstrreplace("tr", o, ";", "_"); | 2033 | o = qstrreplace("tr", o, ";", "_"); |
@@ -2082,7 +2089,8 @@ cookie *setCookie(reqData *Rd, char *cki, char *value) | |||
2082 | if (0 != l) | 2089 | if (0 != l) |
2083 | ret->value = qurl_encode(value, l); | 2090 | ret->value = qurl_encode(value, l); |
2084 | else | 2091 | else |
2085 | ret->value = value; | 2092 | // TODO - I'm doing something crazy again, this isn't crashing when I try to free it. Sometimes. Heisenbug? |
2093 | ret->value = ""; | ||
2086 | ret->httpOnly = TRUE; | 2094 | ret->httpOnly = TRUE; |
2087 | ret->site = CS_STRICT; | 2095 | ret->site = CS_STRICT; |
2088 | ret->secure = TRUE; | 2096 | ret->secure = TRUE; |
@@ -2734,10 +2742,12 @@ Double cookie | |||
2734 | Though so far all the pages I find saying this don't say flat out say "use headers instead", though they do say "use HSTS". | 2742 | Though so far all the pages I find saying this don't say flat out say "use headers instead", though they do say "use HSTS". |
2735 | https://security.stackexchange.com/questions/220797/is-the-double-submit-cookie-pattern-still-effective | 2743 | https://security.stackexchange.com/questions/220797/is-the-double-submit-cookie-pattern-still-effective |
2736 | + Includes a work around that I might already be doing. | 2744 | + Includes a work around that I might already be doing. |
2745 | TODO - think it through, is it really secure against session hijacking? | ||
2746 | TODO - document why we redirect POST to GET, coz it's a pain in the arse, and we have to do things twice. | ||
2737 | 2747 | ||
2738 | SOOOOO - use double cookie + hidden field. | 2748 | SOOOOO - use double cookie + hidden field. |
2739 | No headers, coz I need JavaScript to do that. | 2749 | No headers, coz I need JavaScript to do that. |
2740 | No hidden field when redirecting post POST to GET, coz GOT doesn't get those. | 2750 | No hidden field when redirecting post POST to GET, coz GET doesn't get those. |
2741 | pepper = long pass phrase or some such stored in .sledjChisl.conf.lua, which has to be protected dvs1/opensimsc/0640 as well as the database credentials. | 2751 | pepper = long pass phrase or some such stored in .sledjChisl.conf.lua, which has to be protected dvs1/opensimsc/0640 as well as the database credentials. |
2742 | salt = large random value generated by a secure method (getrandom(2)). | 2752 | salt = large random value generated by a secure method (getrandom(2)). |
2743 | seshID = large random value generated by a secure method (getrandom(2)). | 2753 | seshID = large random value generated by a secure method (getrandom(2)). |
@@ -2766,7 +2776,7 @@ SOOOOO - use double cookie + hidden field. | |||
2766 | hashish == HMACkey(toke_n_munchie + salt) | 2776 | hashish == HMACkey(toke_n_munchie + salt) |
2767 | + If it's too old according to mtime, delete it and logout. | 2777 | + If it's too old according to mtime, delete it and logout. |
2768 | 2778 | ||
2769 | I should make it easy to change the HMAC() function. Less important for these short lived sessions, more important for the linky URLs, most important for stared password hashes. | 2779 | I should make it easy to change the HMAC() function. Less important for these short lived sessions, more important for the linky URLs, most important for stored password hashes. |
2770 | Same for the pepper. | 2780 | Same for the pepper. |
2771 | 2781 | ||
2772 | The required JavaScript might be like https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#xmlhttprequest--native-javascript- | 2782 | The required JavaScript might be like https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#xmlhttprequest--native-javascript- |
@@ -3413,6 +3423,7 @@ t("Lua %s = %s", n, (char *) obj.data); | |||
3413 | } | 3423 | } |
3414 | } | 3424 | } |
3415 | tnm->unlock(tnm); | 3425 | tnm->unlock(tnm); |
3426 | // TODO - check this. | ||
3416 | Rd->database->putstr(Rd->database, "UserAccounts.PrincipalID", tnm->getstr(tnm, "UUID", false)); | 3427 | Rd->database->putstr(Rd->database, "UserAccounts.PrincipalID", tnm->getstr(tnm, "UUID", false)); |
3417 | } | 3428 | } |
3418 | } | 3429 | } |