[LON-CAPA-cvs] cvs: loncom / lond /auth lonauth.pm
www
lon-capa-cvs@mail.lon-capa.org
Sun, 02 Mar 2003 03:58:55 -0000
www Sat Mar 1 22:58:55 2003 EDT
Modified files:
/loncom lond
/loncom/auth lonauth.pm
Log:
Fixes possible security problem.
Index: loncom/lond
diff -u loncom/lond:1.109 loncom/lond:1.110
--- loncom/lond:1.109 Fri Feb 28 23:18:22 2003
+++ loncom/lond Sat Mar 1 22:58:55 2003
@@ -2,7 +2,7 @@
# The LearningOnline Network
# lond "LON Daemon" Server (port "LOND" 5663)
#
-# $Id: lond,v 1.109 2003/03/01 04:18:22 foxr Exp $
+# $Id: lond,v 1.110 2003/03/02 03:58:55 www Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -1511,6 +1511,18 @@
."IO::File->new Failed\n";
}
+# ---------------------------------------------------------------------- tmpdel
+ } elsif ($userinput =~ /^tmpdel/) {
+ my ($cmd,$id)=split(/:/,$userinput);
+ chomp($id);
+ $id=~s/\W/\_/g;
+ my $execdir=$perlvar{'lonDaemons'};
+ if (unlink("$execdir/tmp/$id.tmp")) {
+ print $client "ok\n";
+ } else {
+ print $client "error: ".($!+0)
+ ."Unlink tmp Failed\n";
+ }
# -------------------------------------------------------------------------- ls
} elsif ($userinput =~ /^ls/) {
my ($cmd,$ulsdir)=split(/:/,$userinput);
Index: loncom/auth/lonauth.pm
diff -u loncom/auth/lonauth.pm:1.43 loncom/auth/lonauth.pm:1.44
--- loncom/auth/lonauth.pm:1.43 Sat Mar 1 21:16:53 2003
+++ loncom/auth/lonauth.pm Sat Mar 1 22:58:55 2003
@@ -1,7 +1,7 @@
# The LearningOnline Network
# User Authentication Module
#
-# $Id: lonauth.pm,v 1.43 2003/03/02 02:16:53 www Exp $
+# $Id: lonauth.pm,v 1.44 2003/03/02 03:58:55 www Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -287,8 +287,12 @@
if (($tmpinfo=~/^error/) || ($tmpinfo eq 'con_lost')) {
failed($r,'Information needed to verify your login information is missing, inaccessible or expired.');
return OK;
+ } else {
+ unless (&Apache::lonnet::reply('tmpdel:'.$FORM{'logtoken'},
+ $FORM{'serverid'}) eq 'ok') {
+ &failed($r,'Session could not be opened.');
+ }
}
-
my ($key,$firsturl)=split(/&/,$tmpinfo);
my $keybin=pack("H16",$key);