[#709] Fix cache poisoning vector if credential caching is enabled.

The cache did not distinguish between cached credentials for read and write access. As it does not check permissions again if there is a cache hit, users with authorization for either reading or writing could poison the cache and subsequently authorize themselves for both access types. Original fix is by Jean-Philippe Lang, http://www.redmine.org/issues/9567

[#709] Fix cache poisoning vector if credential caching is enabled.
The cache did not distinguish between cached credentials for read and write access. As it does not check permissions again if there is a cache hit, users with authorization for either reading or writing could poison the cache and subsequently authorize themselves for both access types. Original fix is by Jean-Philippe Lang, http://www.redmine.org/issues/9567
5e171001 · Holger Just · 24538a4a · 5e171001
Commit 5e171001 authored Nov 28, 2011 by Holger Just
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 3 deletions

Redmine.pm extra/svn/Redmine.pm +5 -3

No files found.
--- a/extra/svn/Redmine.pm
+++ b/extra/svn/Redmine.pm
@@ -438,10 +438,12 @@ sub is_member {
  my $pass_digest = Digest::SHA1::sha1_hex($redmine_pass);
+  my $access_mode = request_is_read_only($r) ? "R" : "W";
  my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
  my $usrprojpass;
  if ($cfg->{RedmineCacheCredsMax}) {
-    $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id);
+    $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id.":".$access_mode);
    return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));
  }
  my $query = $cfg->{RedmineQuery};
@@ -485,10 +487,10 @@ sub is_member {
  if ($cfg->{RedmineCacheCredsMax} and $ret) {
    if (defined $usrprojpass) {
-      $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id, $pass_digest);
+      $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
    } else {
      if ($cfg->{RedmineCacheCredsCount} < $cfg->{RedmineCacheCredsMax}) {
-        $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id, $pass_digest);
+        $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
        $cfg->{RedmineCacheCredsCount}++;
      } else {
        $cfg->{RedmineCacheCreds}->clear();