[LON-CAPA-cvs] cvs: loncom /auth lonacc.pm
raeburn
raeburn at source.lon-capa.org
Tue Feb 9 17:17:40 EST 2021
raeburn Tue Feb 9 22:17:40 2021 EDT
Modified files:
/loncom/auth lonacc.pm
Log:
- Validate symb included in query string for /adm/navmaps, /adm/wrapper/...
/adm/coursedocs/showdoc/... URLs.
- Discard invalid symb for /adm/navmaps, but allow access in course context.
Index: loncom/auth/lonacc.pm
diff -u loncom/auth/lonacc.pm:1.186 loncom/auth/lonacc.pm:1.187
--- loncom/auth/lonacc.pm:1.186 Sat Jan 2 19:31:11 2021
+++ loncom/auth/lonacc.pm Tue Feb 9 22:17:40 2021
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Cookie Based Access Handler
#
-# $Id: lonacc.pm,v 1.186 2021/01/02 19:31:11 raeburn Exp $
+# $Id: lonacc.pm,v 1.187 2021/02/09 22:17:40 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -789,18 +789,32 @@
}
if ($env{'form.symb'}) {
$symb=&Apache::lonnet::symbclean($env{'form.symb'});
- if ($requrl eq '/adm/navmaps') {
- my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
- &Apache::lonnet::symblist($map,$murl => [$murl,$mid]);
- } elsif ($requrl =~ m|^/adm/wrapper/|
- || $requrl =~ m|^/adm/coursedocs/showdoc/|) {
- my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
- if ($map =~ /\.page$/) {
- my $mapsymb = &Apache::lonnet::symbread($map);
- ($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
+ if (($requrl eq '/adm/navmaps') ||
+ ($requrl =~ m{^/adm/wrapper/}) ||
+ ($requrl =~ m{^/adm/coursedocs/showdoc/})) {
+ unless (&Apache::lonnet::symbverify($symb,$requrl)) {
+ if (&Apache::lonnet::is_on_map($requrl)) {
+ $symb = &Apache::lonnet::symbread($requrl);
+ unless (&Apache::lonnet::symbverify($symb,$requrl)) {
+ undef($symb);
+ }
+ }
+ }
+ if ($symb) {
+ if ($requrl eq '/adm/navmaps') {
+ my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
+ &Apache::lonnet::symblist($map,$murl => [$murl,$mid]);
+ } elsif (($requrl =~ m{^/adm/wrapper/}) ||
+ ($requrl =~ m{^/adm/coursedocs/showdoc/})) {
+ my ($map,$mid,$murl)=&Apache::lonnet::decode_symb($symb);
+ if ($map =~ /\.page$/) {
+ my $mapsymb = &Apache::lonnet::symbread($map);
+ ($map,$mid,$murl)=&Apache::lonnet::decode_symb($mapsymb);
+ }
+ &Apache::lonnet::symblist($map,$murl => [$murl,$mid],
+ 'last_known' =>[$murl,$mid]);
+ }
}
- &Apache::lonnet::symblist($map,$murl => [$murl,$mid],
- 'last_known' =>[$murl,$mid]);
} elsif ((&Apache::lonnet::symbverify($symb,$requrl)) ||
(($requrl=~m|(.*)/smpedit$|) &&
&Apache::lonnet::symbverify($symb,$1)) ||
@@ -860,10 +874,14 @@
}
}
if ($invalidsymb) {
- $r->log_reason('Invalid symb for '.$requrl.': '.$symb);
- $env{'user.error.msg'}=
- "$requrl:bre:1:1:Invalid Access";
- return HTTP_NOT_ACCEPTABLE;
+ if ($requrl eq '/adm/navmaps') {
+ undef(symb);
+ } else {
+ $r->log_reason('Invalid symb for '.$requrl.': '.$symb);
+ $env{'user.error.msg'}=
+ "$requrl:bre:1:1:Invalid Access";
+ return HTTP_NOT_ACCEPTABLE;
+ }
}
}
}
More information about the LON-CAPA-cvs
mailing list