mirror of https://github.com/MISP/MISP
Fix to a critical vulnerability for the login authentication mechanism
- The API key check was incorrectly logging in the wrong user when the API key started with a numeric valuepull/976/head v2.4.21
parent
71b2446469
commit
77c9ce3b73
|
@ -382,7 +382,7 @@ class AppController extends Controller {
|
|||
public function checkAuthUser($authkey) {
|
||||
$this->loadModel('User');
|
||||
$this->User->recursive = -1;
|
||||
$user = $this->User->getAuthUser($authkey);
|
||||
$user = $this->User->getAuthUserByUuid($authkey);
|
||||
if (empty($user)) return false;
|
||||
if ($user['Role']['perm_site_admin']) $user['siteadmin'] = true;
|
||||
return $user;
|
||||
|
|
|
@ -433,7 +433,21 @@ class User extends AppModel {
|
|||
|
||||
// get the current user and rearrange it to be in the same format as in the auth component
|
||||
public function getAuthUser($id) {
|
||||
$user = $this->find('first', array('conditions' => array('OR' => array('User.id' => $id, 'User.authkey' => $id)), 'recursive' => -1,'contain' => array('Organisation', 'Role', 'Server')));
|
||||
$conditions = array('User.id' => $id);
|
||||
$user = $this->find('first', array('conditions' => $conditions, 'recursive' => -1,'contain' => array('Organisation', 'Role', 'Server')));
|
||||
if (empty($user)) return $user;
|
||||
// Rearrange it a bit to match the Auth object created during the login
|
||||
$user['User']['Role'] = $user['Role'];
|
||||
$user['User']['Organisation'] = $user['Organisation'];
|
||||
$user['User']['Server'] = $user['Server'];
|
||||
unset($user['Organisation'], $user['Role'], $user['Server']);
|
||||
return $user['User'];
|
||||
}
|
||||
|
||||
// get the current user and rearrange it to be in the same format as in the auth component
|
||||
public function getAuthUserByUuid($id) {
|
||||
$conditions = array('User.authkey' => $id);
|
||||
$user = $this->find('first', array('conditions' => $conditions, 'recursive' => -1,'contain' => array('Organisation', 'Role', 'Server')));
|
||||
if (empty($user)) return $user;
|
||||
// Rearrange it a bit to match the Auth object created during the login
|
||||
$user['User']['Role'] = $user['Role'];
|
||||
|
|
Loading…
Reference in New Issue