fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HOR-3433

Browse Source 
Fix ProcessMaker User Password Hash Disclosure.
This commit is contained in:
davidcallizaya
2017-08-09 14:40:02 -04:00
parent b839a247d9
commit 2f3daccd6b
5 changed files with 43 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
rbac/engine/classes/model/RbacUsers.php
View File

@@ -75,12 +75,13 @@ class RbacUsers extends BaseRbacUsers
try {
$c = new Criteria('rbac');
$c->add(RbacUsersPeer::USR_USERNAME, $sUsername);
/* @var $rs RbacUsers[] */
$rs = RbacUsersPeer::doSelect($c, Propel::getDbConnection('rbac_ro'));
if (is_array($rs) && isset($rs[0]) && is_object($rs[0]) && get_class($rs[0]) == 'RbacUsers') {
$aFields = $rs[0]->toArray(BasePeer::TYPE_FIELDNAME);
//verify password with md5, and md5 format
if (mb_strtoupper($sUsername, 'utf-8') === mb_strtoupper($aFields['USR_USERNAME'], 'utf-8')) {
if( Bootstrap::verifyHashPassword($sPassword, $aFields['USR_PASSWORD']) ) {
if( Bootstrap::verifyHashPassword($sPassword, $rs[0]->getUsrPassword()) ) {
if ($aFields['USR_DUE_DATE'] < date('Y-m-d')) {
return -4;
}
@@ -317,6 +318,25 @@ class RbacUsers extends BaseRbacUsers
throw($oError);
}
}
/**
* {@inheritdoc} except USR_PASSWORD, for security reasons.
*
* @param string $keyType One of the class type constants TYPE_PHPNAME,
* TYPE_COLNAME, TYPE_FIELDNAME, TYPE_NUM
* @return an associative array containing the field names (as keys) and field values
*/
public function toArray($keyType = BasePeer::TYPE_PHPNAME)
{
$key = RbacUsersPeer::translateFieldName(
RbacUsersPeer::USR_PASSWORD,
BasePeer::TYPE_COLNAME,
$keyType
);
$array = parent::toArray($keyType);
unset($array[$key]);
return $array;
}
}
// Users

19
workflow/engine/classes/model/Users.php
View File

@@ -490,4 +490,23 @@ class Users extends BaseUsers
$criteria->add(UsersPeer::USR_ID, $id);
return UsersPeer::doSelect($criteria)[0];
}
/**
* {@inheritdoc} except USR_PASSWORD, for security reasons.
*
* @param string $keyType One of the class type constants TYPE_PHPNAME,
* TYPE_COLNAME, TYPE_FIELDNAME, TYPE_NUM
* @return an associative array containing the field names (as keys) and field values
*/
public function toArray($keyType = BasePeer::TYPE_PHPNAME)
{
$key = UsersPeer::translateFieldName(
UsersPeer::USR_PASSWORD,
BasePeer::TYPE_COLNAME,
$keyType
);
$array = parent::toArray($keyType);
unset($array[$key]);
return $array;
}
}

2
workflow/engine/methods/users/usersAjax.php
View File

@@ -318,7 +318,7 @@ switch ($_POST['action']) {
require_once 'classes/model/UsersProperties.php';
$oUserProperty = new UsersProperties();
$aUserProperty = $oUserProperty->loadOrCreateIfNotExists($aFields['USR_UID'], array('USR_PASSWORD_HISTORY' => serialize(array($aFields['USR_PASSWORD']))));
$aUserProperty = $oUserProperty->loadOrCreateIfNotExists($aFields['USR_UID'], array('USR_PASSWORD_HISTORY' => serialize(array($oUser->getUsrPassword()))));
$aFields['USR_LOGGED_NEXT_TIME'] = $aUserProperty['USR_LOGGED_NEXT_TIME'];
if (array_key_exists('USR_PASSWORD', $aFields)) {

2
workflow/engine/src/ProcessMaker/BusinessModel/User.php
View File

@@ -785,7 +785,7 @@ class User
$oUser = new Users();
$aUser = $oUser->load($userUid);
$oUserProperty = new UsersProperties();
$aUserProperty = $oUserProperty->loadOrCreateIfNotExists($userUid, array("USR_PASSWORD_HISTORY" => serialize(array($aUser["USR_PASSWORD"]))));
$aUserProperty = $oUserProperty->loadOrCreateIfNotExists($userUid, array("USR_PASSWORD_HISTORY" => serialize(array($oUser->getUsrPassword()))));
$aUserProperty["USR_LOGGED_NEXT_TIME"] = $arrayData["USR_LOGGED_NEXT_TIME"];
$oUserProperty->update($aUserProperty);
}

2
workflow/engine/src/ProcessMaker/BusinessModel/WebEntry.php
View File

@@ -382,7 +382,7 @@ class WebEntry
$arrayUserData = $user->load($arrayWebEntryData["USR_UID"]);
$usrUsername = $arrayUserData["USR_USERNAME"];
$usrPassword = $arrayUserData["USR_PASSWORD"];
$usrPassword = $user->getUsrPassword();
$dynaForm = new \Dynaform();