mirror of https://github.com/MISP/MISP
Very large PGP keys would prevent users from logging in - fixes #142
- removed the PGP key from the Auth user - PGP key of currently logged in user is looked up on demand and not stored in the sessionpull/274/merge
iglocska
parent
4a96209d5a
commit
1054ff6e85
|
|
@ -18,7 +18,6 @@ class SecureAuthComponent extends AuthComponent {
|
|||
*/
|
||||
public function login($user = null) {
|
||||
$this->_setDefaults();
|
||||
|
||||
if (empty($user)) {
|
||||
$this->Bruteforce = ClassRegistry::init('Bruteforce');
|
||||
// do the anti-bruteforce checks
|
||||
|
|
@ -29,6 +28,7 @@ class SecureAuthComponent extends AuthComponent {
|
|||
// user - ip combination is not blacklisted
|
||||
// check if the user credentials are valid
|
||||
$user = $this->identify($this->request, $this->response);
|
||||
unset($user['gpgkey']);
|
||||
if ($user === false) {
|
||||
// insert row in Bruteforce table
|
||||
$this->Bruteforce->insert($_SERVER['REMOTE_ADDR'], $username);
|
||||
|
|
|
|||
|
|
@ -184,7 +184,7 @@ class EventsController extends AppController {
|
|||
),
|
||||
));
|
||||
$this->set('events', $this->paginate());
|
||||
if (!$this->Auth->user('gpgkey') and Configure::read('GnuPG.onlyencrypted') == 'true') {
|
||||
if (!$this->Event->User->getPGP($this->Auth->user('id')) && Configure::read('GnuPG.onlyencrypted') == 'true') {
|
||||
$this->Session->setFlash(__('No GPG key set in your profile. To receive emails, submit your public key in your profile.'));
|
||||
}
|
||||
$this->set('eventDescriptions', $this->Event->fieldDescriptions);
|
||||
|
|
@ -1085,7 +1085,9 @@ class EventsController extends AppController {
|
|||
if ($this->request->is('post') || $this->request->is('put')) {
|
||||
$message = $this->request->data['Event']['message'];
|
||||
$all = $this->request->data['Event']['person'];
|
||||
if ($this->Event->sendContactEmailRouter($id, $message, $all, $this->Auth->user(), $this->_isSiteAdmin())) {
|
||||
$user = $this->Auth->user();
|
||||
$user['gpgkey'] = $this->Event->User->getPGP($user['id']);
|
||||
if ($this->Event->sendContactEmailRouter($id, $message, $all, $user, $this->_isSiteAdmin())) {
|
||||
// redirect to the view event page
|
||||
$this->Session->setFlash(__('Email sent to the reporter.', true));
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -96,6 +96,8 @@ class ShadowAttributesController extends AppController {
|
|||
$activeAttribute['Attribute']['type'] = $shadow['type'];
|
||||
$activeAttribute['Attribute']['category'] = $shadow['category'];
|
||||
$activeAttribute['Attribute']['to_ids'] = $shadow['to_ids'];
|
||||
$date = new DateTime();
|
||||
$activeAttribute['Attribute']['timestamp'] = $date->getTimestamp();
|
||||
$this->Attribute->save($activeAttribute['Attribute']);
|
||||
$this->ShadowAttribute->delete($id, $cascade = false);
|
||||
$this->loadModel('Event');
|
||||
|
|
@ -104,7 +106,6 @@ class ShadowAttributesController extends AppController {
|
|||
// Unpublish the event, accepting a proposal is modifying the event after all. Also, reset the lock.
|
||||
$event = $this->Event->read(null, $activeAttribute['Attribute']['event_id']);
|
||||
$fieldList = array('proposal_email_lock', 'id', 'info', 'published', 'timestamp');
|
||||
$date = new DateTime();
|
||||
$event['Event']['timestamp'] = $date->getTimestamp();
|
||||
$event['Event']['proposal_email_lock'] = 0;
|
||||
$event['Event']['published'] = 0;
|
||||
|
|
@ -662,11 +663,11 @@ class ShadowAttributesController extends AppController {
|
|||
$bodySigned = $gpg->sign($body, Crypt_GPG::SIGN_MODE_CLEAR);
|
||||
// Add the GPG key of the user as attachment
|
||||
// LATER sign the attached GPG key
|
||||
if (null != ($this->Auth->user('gpgkey'))) {
|
||||
if (null != (!$this->User->getPGP($this->Auth->user('id')))) {
|
||||
// save the gpg key to a temporary file
|
||||
$tmpfname = tempnam(TMP, "GPGkey");
|
||||
$handle = fopen($tmpfname, "w");
|
||||
fwrite($handle, $this->Auth->user('gpgkey'));
|
||||
fwrite($handle, $this->User->getPGP($this->Auth->user('id'));
|
||||
fclose($handle);
|
||||
// attach it
|
||||
$this->Email->attachments = array(
|
||||
|
|
@ -702,7 +703,7 @@ class ShadowAttributesController extends AppController {
|
|||
$this->set('body', $bodyEncSig);
|
||||
// Add the GPG key of the user as attachment
|
||||
// LATER sign the attached GPG key
|
||||
if (null != ($this->Auth->user('gpgkey'))) {
|
||||
if (null != ($this->User->getPGP($this->Auth->user('id'))) {
|
||||
// attach the gpg key
|
||||
$this->Email->attachments = array(
|
||||
'gpgkey.asc' => $tmpfname
|
||||
|
|
|
|||
|
|
@ -401,4 +401,12 @@ class User extends AppModel {
|
|||
}
|
||||
return $results;
|
||||
}
|
||||
|
||||
public function getPGP($id) {
|
||||
$result = $this->find('first', array(
|
||||
'recursive' => -1,
|
||||
'fields' => array('id', 'gpgkey'),
|
||||
));
|
||||
return $result['User']['gpgkey'];
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue