[LON-CAPA-cvs] cvs: loncom /auth lonracc.pm lontokacc.pm

bowersj2 lon-capa-cvs@mail.lon-capa.org
Mon, 21 Oct 2002 19:15:10 -0000


bowersj2		Mon Oct 21 15:15:10 2002 EDT

  Modified files:              
    /loncom/auth	lonracc.pm lontokacc.pm 
  Log:
  This took way longer then it should have.
  
  lonracc and lontokacc will now be accepting when one of two conditions
  is met:
  
  * The double-reverse lookup, according to $r->get_remote_host(REMOTE_DOUBLE_REV)
    is successful. This is identical to before.
  * The claimed host is the same as the current server, which works even with 
    wonky /etc/hosts files.
  
  I was initially worried this might be a potential security problem, but I do
  not believe it is. The reason is that this clause ONLY comes into effect
  when you're trying to spoof yourself as the server you are talking to. Even
  if you succeed, the server will then proceed to send itself a subscription
  request, which is not a big deal, PLUS the reason this is occuring in the
  first place is that the name maps back to 127.0.0.1, SO this request will
  go through the local interface anyhow, meaning Mr. Remote Attacker can't even
  see the subscription request that wouldn't help him anyhow.
  
  So in the end, all this does is hypothetically allow an attacker to cause a 
  server machine to subscribe itself to resources it hosts. This does not give
  the hypothetical attacker any benefit. Thus, this is not a security hole.
  
  
  
Index: loncom/auth/lonracc.pm
diff -u loncom/auth/lonracc.pm:1.5 loncom/auth/lonracc.pm:1.6
--- loncom/auth/lonracc.pm:1.5	Fri Jul 26 15:35:20 2002
+++ loncom/auth/lonracc.pm	Mon Oct 21 15:15:10 2002
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Access Handler for File Transfers
 #
-# $Id: lonracc.pm,v 1.5 2002/07/26 19:35:20 albertel Exp $
+# $Id: lonracc.pm,v 1.6 2002/10/21 19:15:10 bowersj2 Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -52,9 +52,12 @@
 
 sub handler {
     my $r = shift;
-    my $reqhost;
-    unless ($reqhost=$r->get_remote_host(REMOTE_DOUBLE_REV)) {
-       $r->log_reason("Spoof request");
+    my $reqhost = $r->get_remote_host(REMOTE_DOUBLE_REV);
+    if (!$reqhost && $r->get_remote_host(REMOTE_NOLOOKUP) eq $r->get_server_name()) { 
+        $reqhost = $r->get_server_name();
+    } 
+    unless ($reqhost)
+       $r->log_reason("Spoof request from ".$ENV{'REMOTE_ADDR'});
        return FORBIDDEN;
     }
     my $readline;
Index: loncom/auth/lontokacc.pm
diff -u loncom/auth/lontokacc.pm:1.6 loncom/auth/lontokacc.pm:1.7
--- loncom/auth/lontokacc.pm:1.6	Thu Aug  8 09:45:21 2002
+++ loncom/auth/lontokacc.pm	Mon Oct 21 15:15:10 2002
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Access Handler for User File Transfers
 #
-# $Id: lontokacc.pm,v 1.6 2002/08/08 13:45:21 www Exp $
+# $Id: lontokacc.pm,v 1.7 2002/10/21 19:15:10 bowersj2 Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -32,13 +32,17 @@
 use Apache::Constants qw(:common :remotehost);
 use Apache::lonnet();
 use Apache::File();
+use Data::Dumper;
 
 sub handler {
     my $r = shift;
-    my $reqhost;
-    unless ($reqhost=$r->get_remote_host(REMOTE_DOUBLE_REV)) {
-       $r->log_reason("Spoof request ".$reqhost);
-       return FORBIDDEN;
+    my $reqhost = $r->get_remote_host(REMOTE_DOUBLE_REV);
+    if (!$reqhost && $r->get_remote_host(REMOTE_NOLOOKUP) eq $r->get_server_name()) { 
+        $reqhost = $r->get_server_name(); 
+    }
+    unless ($reqhost) {
+        $r->log_reason("Spoof request from ". $reqhost);
+        return FORBIDDEN;
     }
     if ($reqhost eq 'localhost.localdomain') {
        $r->register_cleanup(\&removefile);