From: garvinhicking <garvinhicking>
Date: Thu, 12 Jul 2007 11:23:05 +0000 (+0000)
Subject: Admin interface security improved, thanks to Stefan Esser.
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=44197bafb50b5c326907a0f79c484d67d46ba514;p=s9y.git

Admin interface security improved, thanks to Stefan Esser.
---

diff --git a/docs/NEWS b/docs/NEWS
index cec8926..db2f2d5 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -19,6 +19,12 @@ Version 1.3 ()
 Version 1.2 ()
 ------------------------------------------------------------------------
 
+    * Stronger autologin cookie encryption, prevent mixup with template
+      options (which could make foreign users delete your configured
+      template option keys). Also use new serendpity_db_implode()
+      function for a safer API on image handling. 
+      All hail Stefan Esser. :)
+
     * Backend templating changes to insert more classes to input fields
       etc (Don Chambers)
 
diff --git a/include/db/db.inc.php b/include/db/db.inc.php
index 91765e3..d352d2c 100644
--- a/include/db/db.inc.php
+++ b/include/db/db.inc.php
@@ -152,4 +152,31 @@ function serendipity_db_get_interval($val, $ival = 900) {
     }
 }
 
+/**
+ * Operates on an array to prepare it for SQL usage.
+ *
+ * @access public
+ * @param   string Concatenation character
+ * @param   array  Input array
+ * @param   string How to convert (int: Only numbers, string: serendipity_db_escape_String)
+ * @return  string Imploded string
+ */
+function serendipity_db_implode($string, &$array, $type = 'int') {
+    $new_array = array();
+    if (!is_array($array)) {
+        return '';
+    }
+    
+    foreach($array AS $idx => $key) {
+        if ($type == 'int') {
+            $new_array[$idx] = (int)$key;
+        } else {
+            $new_array[$idx] = serendipity_db_escape_string($key);
+        }
+    }
+
+    $string = implode($string, $new_array);
+    return $string;
+}
+
 /* vim: set sts=4 ts=4 expandtab : */
diff --git a/include/functions_config.inc.php b/include/functions_config.inc.php
index 6225822..fe72811 100644
--- a/include/functions_config.inc.php
+++ b/include/functions_config.inc.php
@@ -420,13 +420,15 @@ function serendipity_issueAutologin($array) {
     }
     $package = base64_encode($package);
 
-    $rnd = md5(time() . $_SERVER['REMOTE_ADDR']);
+    $rnd = md5(uniqid(time(), true) . $_SERVER['REMOTE_ADDR']);
 
-    // Delete possible current cookie
-    serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}options WHERE okey = '" . serendipity_db_escape_string($serendipity['COOKIE']['author_information']) . "'");
+    // Delete possible current cookie. Also delete any autologin keys that smell like 3-week-old, dead fish.
+    serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}options 
+                                WHERE okey = 'l_" . serendipity_db_escape_string($serendipity['COOKIE']['author_information']) . "'
+                                   OR (okey LIKE 'l_%' AND name < " . (time() - 1814400) . ")");
 
     // Issue new autologin cookie
-    serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}options (name, value, okey) VALUES ('" . time() . "', '" . serendipity_db_escape_string($package) . "', '" . $rnd . "')");
+    serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}options (name, value, okey) VALUES ('" . time() . "', '" . serendipity_db_escape_string($package) . "', 'l_" . $rnd . "')");
     serendipity_setCookie('author_information', $rnd);
 }
 
@@ -438,7 +440,7 @@ function serendipity_checkAutologin($ident, $iv) {
     global $serendipity;
 
     // Fetch login data from DB
-    $autologin =& serendipity_db_query("SELECT * FROM {$serendipity['dbPrefix']}options WHERE okey = '" . serendipity_db_escape_string($ident) . "' LIMIT 1", true, 'assoc');
+    $autologin =& serendipity_db_query("SELECT * FROM {$serendipity['dbPrefix']}options WHERE okey = 'l_" . serendipity_db_escape_string($ident) . "' LIMIT 1", true, 'assoc');
     if (!is_array($autologin)) {
         return false;
     }
diff --git a/include/functions_images.inc.php b/include/functions_images.inc.php
index 616f664..d5f0c41 100644
--- a/include/functions_images.inc.php
+++ b/include/functions_images.inc.php
@@ -92,12 +92,8 @@ function serendipity_fetchImagesFromDatabase($start=0, $limit=0, &$total, $order
         }
     }
 
-    foreach($keywords AS $i => $keyword) {
-        $keywords[$i] = serendipity_db_escape_string($keyword);
-    }
-
     if (count($keywords) > 0) {
-        $cond['parts']['keywords'] = " AND (mk.property IN ('" . implode("', '", $keywords) . "'))\n";
+        $cond['parts']['keywords'] = " AND (mk.property IN ('" . serendipity_db_implode("', '", $keywords, 'string') . "'))\n";
         $cond['joinparts']['keywords'] = true;
     }
 
@@ -239,7 +235,7 @@ function serendipity_fetchImageFromDatabase($id, $mode = 'read') {
 
     if (is_array($id)) {
         $cond = array(
-            'and' => "WHERE i.id IN (" . implode(',', $id) . ")"
+            'and' => "WHERE i.id IN (" . serendipity_db_implode(',', $id) . ")"
         );
         $single   = false;
         $assocKey = 'id';
@@ -2476,7 +2472,7 @@ function &serendipity_fetchMediaProperties($id) {
 
     $sql = "SELECT mediaid, property, property_group, property_subgroup, value
               FROM {$serendipity['dbPrefix']}mediaproperties
-             WHERE mediaid IN (" . (is_array($id) ? implode(',', $id) : (int)$id) . ")";
+             WHERE mediaid IN (" . (is_array($id) ? serendipity_db_implode(',', $id) : (int)$id) . ")";
     $rows  = serendipity_db_query($sql, false, 'assoc');
     $props = array();
     if (is_array($rows)) {
diff --git a/serendipity_config.inc.php b/serendipity_config.inc.php
index c41309a..d12a245 100644
--- a/serendipity_config.inc.php
+++ b/serendipity_config.inc.php
@@ -16,8 +16,7 @@ if (!headers_sent()) {
     // and be regenerated with a system-generated SID.
     // Patch by David Vieira-Kurz of majorsecurity.de
     if (!isset($_SESSION['SERVER_GENERATED_SID'])) {
-        session_destroy();
-        session_regenerate_id();
+        session_regenerate_id(true);
         session_start();
         header('X-Session-Reinit: true');
         $_SESSION['SERVER_GENERATED_SID'] = true;