File:
[LON-CAPA] /
loncom /
auth /
lontokacc.pm
Revision
1.7:
download - view:
text,
annotated -
select for diffs
Mon Oct 21 19:15:10 2002 UTC (21 years, 6 months ago) by
bowersj2
Branches:
MAIN
CVS tags:
version_0_99_3,
version_0_99_2,
version_0_99_1,
version_0_99_0,
version_0_6_2,
version_0_6,
conference_2003,
HEAD
This took way longer then it should have.
lonracc and lontokacc will now be accepting when one of two conditions
is met:
* The double-reverse lookup, according to $r->get_remote_host(REMOTE_DOUBLE_REV)
is successful. This is identical to before.
* The claimed host is the same as the current server, which works even with
wonky /etc/hosts files.
I was initially worried this might be a potential security problem, but I do
not believe it is. The reason is that this clause ONLY comes into effect
when you're trying to spoof yourself as the server you are talking to. Even
if you succeed, the server will then proceed to send itself a subscription
request, which is not a big deal, PLUS the reason this is occuring in the
first place is that the name maps back to 127.0.0.1, SO this request will
go through the local interface anyhow, meaning Mr. Remote Attacker can't even
see the subscription request that wouldn't help him anyhow.
So in the end, all this does is hypothetically allow an attacker to cause a
server machine to subscribe itself to resources it hosts. This does not give
the hypothetical attacker any benefit. Thus, this is not a security hole.
# The LearningOnline Network
# Access Handler for User File Transfers
#
# $Id: lontokacc.pm,v 1.7 2002/10/21 19:15:10 bowersj2 Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#
package Apache::lontokacc;
use strict;
use Apache::Constants qw(:common :remotehost);
use Apache::lonnet();
use Apache::File();
use Data::Dumper;
sub handler {
my $r = shift;
my $reqhost = $r->get_remote_host(REMOTE_DOUBLE_REV);
if (!$reqhost && $r->get_remote_host(REMOTE_NOLOOKUP) eq $r->get_server_name()) {
$reqhost = $r->get_server_name();
}
unless ($reqhost) {
$r->log_reason("Spoof request from ". $reqhost);
return FORBIDDEN;
}
if ($reqhost eq 'localhost.localdomain') {
$r->register_cleanup(\&removefile);
return OK;
}
my $readline;
my $lontabdir=$r->dir_config('lonTabDir');
{
my $fh;
unless ($fh=Apache::File->new("$lontabdir/hosts.tab")) {
$r->log_reason("Could not find host tab file");
return FORBIDDEN;
}
while ($readline=<$fh>) {
my ($id,$domain,$role,$name,$ip)=split(/:/,$readline);
if ($name =~ /$reqhost/i) {
$r->register_cleanup(\&removefile);
return OK;
}
}
}
$r->log_reason("Invalid request for user file transfer from $reqhost",
$r->filename);
return FORBIDDEN;
}
sub removefile {
my $r=shift;
if ($r->status==200) {
unlink($r->filename);
&Apache::lonnet::logthis('Unlinking '.$r->filename);
} else {
&Apache::lonnet::logthis('Failed to transfer '.$r->filename);
}
}
1;
__END__
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lontokacc.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / auth