[LON-CAPA-cvs] cvs: loncom / lond /auth lonauth.pm

www lon-capa-cvs@mail.lon-capa.org
Sun, 02 Mar 2003 03:58:55 -0000 

www		Sat Mar  1 22:58:55 2003 EDT

  Modified files:              
    /loncom	lond 
    /loncom/auth	lonauth.pm 
  Log:
  Fixes possible security problem.
  
  
Index: loncom/lond
diff -u loncom/lond:1.109 loncom/lond:1.110
--- loncom/lond:1.109	Fri Feb 28 23:18:22 2003
+++ loncom/lond	Sat Mar  1 22:58:55 2003
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.109 2003/03/01 04:18:22 foxr Exp $
+# $Id: lond,v 1.110 2003/03/02 03:58:55 www Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -1511,6 +1511,18 @@
 			       ."IO::File->new Failed\n";
 		       }
 
+# ---------------------------------------------------------------------- tmpdel
+                   } elsif ($userinput =~ /^tmpdel/) {
+                       my ($cmd,$id)=split(/:/,$userinput);
+                       chomp($id);
+                       $id=~s/\W/\_/g;
+                       my $execdir=$perlvar{'lonDaemons'};
+                       if (unlink("$execdir/tmp/$id.tmp")) {
+			   print $client "ok\n";
+		       } else {
+			   print $client "error: ".($!+0)
+			       ."Unlink tmp Failed\n";
+		       }
 # -------------------------------------------------------------------------- ls
                    } elsif ($userinput =~ /^ls/) {
                        my ($cmd,$ulsdir)=split(/:/,$userinput);
Index: loncom/auth/lonauth.pm
diff -u loncom/auth/lonauth.pm:1.43 loncom/auth/lonauth.pm:1.44
--- loncom/auth/lonauth.pm:1.43	Sat Mar  1 21:16:53 2003
+++ loncom/auth/lonauth.pm	Sat Mar  1 22:58:55 2003
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # User Authentication Module
 #
-# $Id: lonauth.pm,v 1.43 2003/03/02 02:16:53 www Exp $
+# $Id: lonauth.pm,v 1.44 2003/03/02 03:58:55 www Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -287,8 +287,12 @@
     if (($tmpinfo=~/^error/) || ($tmpinfo eq 'con_lost')) {
 	failed($r,'Information needed to verify your login information is missing, inaccessible or expired.');
         return OK;
+    } else {
+        unless (&Apache::lonnet::reply('tmpdel:'.$FORM{'logtoken'},
+                                         $FORM{'serverid'}) eq 'ok') {
+            &failed($r,'Session could not be opened.');
+	}
     }
-    
     my ($key,$firsturl)=split(/&/,$tmpinfo);
 
     my $keybin=pack("H16",$key);