From 4b6bb85968c37b14dd7d51f5d96164be0ba7598f Mon Sep 17 00:00:00 2001 From: onefang Date: Sun, 19 Apr 2020 14:17:46 +1000 Subject: TODO++ --- src/sledjchisl/sledjchisl.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) (limited to 'src/sledjchisl/sledjchisl.c') diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c index cdfba95..1c98575 100644 --- a/src/sledjchisl/sledjchisl.c +++ b/src/sledjchisl/sledjchisl.c @@ -26,6 +26,7 @@ config SLEDJCHISL // TODO - once it is event driven, periodically run things like session clean ups, self healing, and the secure.sh thing. // And backups off course. +// As well as regular database pings to keep the connection open. #include #ifdef _WIN32 @@ -60,6 +61,8 @@ extern char **environ; #include #include +// TODO - I should probably replace openSSL with something else. Only using it for the hash functions, and apparently it's got a bit of a bad rep. +// qLibc optionally uses openSSL for it's HTTP client stuff. #include #include #include "openssl/hmac.h" @@ -262,7 +265,7 @@ int runToy(char *argv[]) #undef FALSE #undef TRUE #ifndef FALSE -// NEVER change this +// NEVER change this, true and false work to. typedef enum { FALSE = 0, @@ -2021,6 +2024,10 @@ void santize(qhashtbl_t *tbl, bool decode) // if ((strcmp(n, "password") != 0) && (strcmp(n, "psswd") != 0)) { // Poor mans Bobby Tables protection. +// TODO - make this reversable, especially so these things can be used in aboutMe, and come out the other end unscathed. +// qurl_encode doesn't handle \, but does the rest. +// So that means don't qurl_decode it, and encode \\. +// But then I have to qurl_decode everwhere. o = qstrreplace("tr", o, "'", "_"); o = qstrreplace("tr", o, "\"", "_"); o = qstrreplace("tr", o, ";", "_"); @@ -2082,7 +2089,8 @@ cookie *setCookie(reqData *Rd, char *cki, char *value) if (0 != l) ret->value = qurl_encode(value, l); else - ret->value = value; +// TODO - I'm doing something crazy again, this isn't crashing when I try to free it. Sometimes. Heisenbug? + ret->value = ""; ret->httpOnly = TRUE; ret->site = CS_STRICT; ret->secure = TRUE; @@ -2734,10 +2742,12 @@ Double cookie Though so far all the pages I find saying this don't say flat out say "use headers instead", though they do say "use HSTS". https://security.stackexchange.com/questions/220797/is-the-double-submit-cookie-pattern-still-effective + Includes a work around that I might already be doing. +TODO - think it through, is it really secure against session hijacking? +TODO - document why we redirect POST to GET, coz it's a pain in the arse, and we have to do things twice. SOOOOO - use double cookie + hidden field. No headers, coz I need JavaScript to do that. - No hidden field when redirecting post POST to GET, coz GOT doesn't get those. + No hidden field when redirecting post POST to GET, coz GET doesn't get those. pepper = long pass phrase or some such stored in .sledjChisl.conf.lua, which has to be protected dvs1/opensimsc/0640 as well as the database credentials. salt = large random value generated by a secure method (getrandom(2)). seshID = large random value generated by a secure method (getrandom(2)). @@ -2766,7 +2776,7 @@ SOOOOO - use double cookie + hidden field. hashish == HMACkey(toke_n_munchie + salt) + If it's too old according to mtime, delete it and logout. -I should make it easy to change the HMAC() function. Less important for these short lived sessions, more important for the linky URLs, most important for stared password hashes. +I should make it easy to change the HMAC() function. Less important for these short lived sessions, more important for the linky URLs, most important for stored password hashes. Same for the pepper. The required JavaScript might be like https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#xmlhttprequest--native-javascript- @@ -3413,6 +3423,7 @@ t("Lua %s = %s", n, (char *) obj.data); } } tnm->unlock(tnm); +// TODO - check this. Rd->database->putstr(Rd->database, "UserAccounts.PrincipalID", tnm->getstr(tnm, "UUID", false)); } } -- cgit v1.1