fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HOR-3433

Browse Source 
Fix ProcessMaker User Password Hash Disclosure.
This commit is contained in:
davidcallizaya
2017-08-09 14:40:02 -04:00
parent b839a247d9
commit 2f3daccd6b
5 changed files with 43 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
rbac/engine/classes/model/RbacUsers.php
View File

@@ -75,12 +75,13 @@ class RbacUsers extends BaseRbacUsers
try { try {
$c = new Criteria('rbac'); $c = new Criteria('rbac');
$c->add(RbacUsersPeer::USR_USERNAME, $sUsername); $c->add(RbacUsersPeer::USR_USERNAME, $sUsername);
/* @var $rs RbacUsers[] */
$rs = RbacUsersPeer::doSelect($c, Propel::getDbConnection('rbac_ro')); $rs = RbacUsersPeer::doSelect($c, Propel::getDbConnection('rbac_ro'));
if (is_array($rs) && isset($rs[0]) && is_object($rs[0]) && get_class($rs[0]) == 'RbacUsers') { if (is_array($rs) && isset($rs[0]) && is_object($rs[0]) && get_class($rs[0]) == 'RbacUsers') {
$aFields = $rs[0]->toArray(BasePeer::TYPE_FIELDNAME); $aFields = $rs[0]->toArray(BasePeer::TYPE_FIELDNAME);
//verify password with md5, and md5 format //verify password with md5, and md5 format
if (mb_strtoupper($sUsername, 'utf-8') === mb_strtoupper($aFields['USR_USERNAME'], 'utf-8')) { if (mb_strtoupper($sUsername, 'utf-8') === mb_strtoupper($aFields['USR_USERNAME'], 'utf-8')) {
if( Bootstrap::verifyHashPassword($sPassword, $aFields['USR_PASSWORD']) ) { if( Bootstrap::verifyHashPassword($sPassword, $rs[0]->getUsrPassword()) ) {
if ($aFields['USR_DUE_DATE'] < date('Y-m-d')) { if ($aFields['USR_DUE_DATE'] < date('Y-m-d')) {
return -4; return -4;
} }
@@ -317,6 +318,25 @@ class RbacUsers extends BaseRbacUsers
throw($oError); throw($oError);
} }
} }
/**
* {@inheritdoc} except USR_PASSWORD, for security reasons.
*
* @param string $keyType One of the class type constants TYPE_PHPNAME,
* TYPE_COLNAME, TYPE_FIELDNAME, TYPE_NUM
* @return an associative array containing the field names (as keys) and field values
*/
public function toArray($keyType = BasePeer::TYPE_PHPNAME)
{
$key = RbacUsersPeer::translateFieldName(
RbacUsersPeer::USR_PASSWORD,
BasePeer::TYPE_COLNAME,
$keyType
);
$array = parent::toArray($keyType);
unset($array[$key]);
return $array;
}
} }
// Users // Users

19
workflow/engine/classes/model/Users.php
View File

@@ -490,4 +490,23 @@ class Users extends BaseUsers
$criteria->add(UsersPeer::USR_ID, $id); $criteria->add(UsersPeer::USR_ID, $id);
return UsersPeer::doSelect($criteria)[0]; return UsersPeer::doSelect($criteria)[0];
} }
/**
* {@inheritdoc} except USR_PASSWORD, for security reasons.
*
* @param string $keyType One of the class type constants TYPE_PHPNAME,
* TYPE_COLNAME, TYPE_FIELDNAME, TYPE_NUM
* @return an associative array containing the field names (as keys) and field values
*/
public function toArray($keyType = BasePeer::TYPE_PHPNAME)
{
$key = UsersPeer::translateFieldName(
UsersPeer::USR_PASSWORD,
BasePeer::TYPE_COLNAME,
$keyType
);
$array = parent::toArray($keyType);
unset($array[$key]);
return $array;
}
} }

2
workflow/engine/methods/users/usersAjax.php
View File

@@ -318,7 +318,7 @@ switch ($_POST['action']) {
require_once 'classes/model/UsersProperties.php'; require_once 'classes/model/UsersProperties.php';
$oUserProperty = new UsersProperties(); $oUserProperty = new UsersProperties();
$aUserProperty = $oUserProperty->loadOrCreateIfNotExists($aFields['USR_UID'], array('USR_PASSWORD_HISTORY' => serialize(array($aFields['USR_PASSWORD'])))); $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($aFields['USR_UID'], array('USR_PASSWORD_HISTORY' => serialize(array($oUser->getUsrPassword()))));
$aFields['USR_LOGGED_NEXT_TIME'] = $aUserProperty['USR_LOGGED_NEXT_TIME']; $aFields['USR_LOGGED_NEXT_TIME'] = $aUserProperty['USR_LOGGED_NEXT_TIME'];
if (array_key_exists('USR_PASSWORD', $aFields)) { if (array_key_exists('USR_PASSWORD', $aFields)) {

2
workflow/engine/src/ProcessMaker/BusinessModel/User.php
View File

@@ -785,7 +785,7 @@ class User
$oUser = new Users(); $oUser = new Users();
$aUser = $oUser->load($userUid); $aUser = $oUser->load($userUid);
$oUserProperty = new UsersProperties(); $oUserProperty = new UsersProperties();
$aUserProperty = $oUserProperty->loadOrCreateIfNotExists($userUid, array("USR_PASSWORD_HISTORY" => serialize(array($aUser["USR_PASSWORD"])))); $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($userUid, array("USR_PASSWORD_HISTORY" => serialize(array($oUser->getUsrPassword()))));
$aUserProperty["USR_LOGGED_NEXT_TIME"] = $arrayData["USR_LOGGED_NEXT_TIME"]; $aUserProperty["USR_LOGGED_NEXT_TIME"] = $arrayData["USR_LOGGED_NEXT_TIME"];
$oUserProperty->update($aUserProperty); $oUserProperty->update($aUserProperty);
} }

2
workflow/engine/src/ProcessMaker/BusinessModel/WebEntry.php
View File

@@ -382,7 +382,7 @@ class WebEntry
$arrayUserData = $user->load($arrayWebEntryData["USR_UID"]); $arrayUserData = $user->load($arrayWebEntryData["USR_UID"]);
$usrUsername = $arrayUserData["USR_USERNAME"]; $usrUsername = $arrayUserData["USR_USERNAME"];
$usrPassword = $arrayUserData["USR_PASSWORD"]; $usrPassword = $user->getUsrPassword();
$dynaForm = new \Dynaform(); $dynaForm = new \Dynaform();