From 4ad7c9d6257ca106b2949d22f6300823190991a0 Mon Sep 17 00:00:00 2001 From: joey Date: Sun, 27 Aug 2006 20:25:05 +0000 Subject: [PATCH] * Patch from James Westby to add a --sslcookie switch, which forces cookies to only be sent over ssl connections to avoid interception. * Factor out the cgi header printing code into a new function. * Fix preferences page on anonok wikis; still need to sign in to get to the preferences page. --- IkiWiki.pm | 1 + IkiWiki/CGI.pm | 24 ++++++++++++++++++------ debian/changelog | 7 ++++++- doc/ikiwiki.setup | 2 ++ doc/patchqueue/use-ssl-for-cookies.mdwn | 20 -------------------- doc/security.mdwn | 4 +++- doc/usage.mdwn | 6 ++++++ ikiwiki.pl | 1 + 8 files changed, 37 insertions(+), 28 deletions(-) delete mode 100644 doc/patchqueue/use-ssl-for-cookies.mdwn diff --git a/IkiWiki.pm b/IkiWiki.pm index b6e160ab6..990836f8e 100644 --- a/IkiWiki.pm +++ b/IkiWiki.pm @@ -54,6 +54,7 @@ sub defaultconfig () { #{{{ plugin => [qw{mdwn inline htmlscrubber}], timeformat => '%c', locale => undef, + sslcookie => 0, } #}}} sub checkconfig () { #{{{ diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index 120e2fdee..8e0339dc5 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -9,6 +9,18 @@ use Encode; package IkiWiki; +sub printheader ($) { #{{{ + my $session=shift; + + if ($config{sslcookie}) { + print $session->header(-charset => 'utf-8', + -cookie => $session->cookie(-secure => 1)); + } else { + print $session->header(-charset => 'utf-8'); + } + +} #}}} + sub redirect ($$) { #{{{ my $q=shift; my $url=shift; @@ -72,7 +84,7 @@ sub cgi_recentchanges ($) { #{{{ changelog => [rcs_recentchanges(100)], baseurl => baseurl(), ); - print $q->header(-charset=>'utf-8'), $template->output; + print $q->header(-charset => 'utf-8'), $template->output; } #}}} sub cgi_signin ($$) { #{{{ @@ -204,7 +216,7 @@ sub cgi_signin ($$) { #{{{ $form->field(name => "confirm_password", type => "hidden"); $form->field(name => "email", type => "hidden"); $form->text("Registration successful. Now you can Login."); - print $session->header(-charset=>'utf-8'); + printheader($session); print misctemplate($form->title, $form->render(submit => ["Login"])); } else { @@ -232,12 +244,12 @@ sub cgi_signin ($$) { #{{{ $form->text("Your password has been emailed to you."); $form->field(name => "name", required => 0); - print $session->header(-charset=>'utf-8'); + printheader($session); print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"])); } } else { - print $session->header(-charset=>'utf-8'); + printheader($session); print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"])); } } #}}} @@ -314,7 +326,7 @@ sub cgi_prefs ($$) { #{{{ $form->text("Preferences saved."); } - print $session->header(-charset=>'utf-8'); + printheader($session); print misctemplate($form->title, $form->render(submit => \@buttons)); } #}}} @@ -596,7 +608,7 @@ sub cgi () { #{{{ umask($oldmask); # Everything below this point needs the user to be signed in. - if ((! $config{anonok} && + if (((! $config{anonok} || $do eq 'prefs') && (! defined $session->param("name") || ! userinfo_get($session->param("name"), "regdate"))) || $do eq 'signin') { cgi_signin($q, $session); diff --git a/debian/changelog b/debian/changelog index 7636cd12e..2d1fd3777 100644 --- a/debian/changelog +++ b/debian/changelog @@ -35,8 +35,13 @@ ikiwiki (1.22) UNRELEASED; urgency=low * Patch from James Westby to add a template for the search form. * Cache search form for speedup. * Added a ddate plugin. + * Patch from James Westby to add a --sslcookie switch, which forces + cookies to only be sent over ssl connections to avoid interception. + * Factor out the cgi header printing code into a new function. + * Fix preferences page on anonok wikis; still need to sign in to get + to the preferences page. - -- Joey Hess Sat, 26 Aug 2006 23:48:31 -0400 + -- Joey Hess Sun, 27 Aug 2006 16:17:21 -0400 ikiwiki (1.21) unstable; urgency=low diff --git a/doc/ikiwiki.setup b/doc/ikiwiki.setup index bf1aa3703..9a4b61ec4 100644 --- a/doc/ikiwiki.setup +++ b/doc/ikiwiki.setup @@ -74,6 +74,8 @@ use IkiWiki::Setup::Standard { #timeformat => '%c', # Locale to use. Must be a UTF-8 locale. #locale => 'en_US.UTF-8', + # Only send cookies over SSL connections. + #sslcookie => 1, # Logging settings: verbose => 0, syslog => 0, diff --git a/doc/patchqueue/use-ssl-for-cookies.mdwn b/doc/patchqueue/use-ssl-for-cookies.mdwn deleted file mode 100644 index c2ee63782..000000000 --- a/doc/patchqueue/use-ssl-for-cookies.mdwn +++ /dev/null @@ -1,20 +0,0 @@ -It is very easy to stop the password being sniffed, you just use https:// for cgiurl -(with appropriately configure server of course), and disallow access to the cgiscript -over http. - -However the cookie is still sent for all requests, meaning that it could be stolen. -I don't know quite how well CGI::Session defends against this, but the best it could -do is probably tie it to an IP address, but that still leaves room for abuse. - -I have created a patch that adds a config option sslcookie, which causes the -cookie to have it's secure property set. This means that it is only sent over SSL. -So if you can configure apache to do what you want, you only have to change two options -(cgiurl and sslcookie) to encrypt all authentication data. - -The disadvantage is that if someone were to activate it while using http:// I think it -would mean they couldn't log in, as the browser would never offer the cookie. -I think I have made the documentation clear enough on this point. - -http://jameswestby.net/scratch/sslcookie.diff - --- JamesWestby \ No newline at end of file diff --git a/doc/security.mdwn b/doc/security.mdwn index dc763ef40..9d7702dde 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -134,7 +134,9 @@ file not be world readable. Login to the wiki involves sending a password in cleartext over the net. Cracking the password only allows editing the wiki as that user though. -If you care, you can use https, I suppose. +If you care, you can use https, I suppose. If you do use https either for +all of the wiki, or just the cgi access, then consider using the sslcookie +option. ## XSS holes in CGI output diff --git a/doc/usage.mdwn b/doc/usage.mdwn index efbc765ac..4456e8c1c 100644 --- a/doc/usage.mdwn +++ b/doc/usage.mdwn @@ -227,6 +227,12 @@ configuration options of their own. Enable [[w3mmode]], which allows w3m to use ikiwiki as a local CGI script, without a web server. +* --sslcookie + + Only send cookies over an SSL connection. This should prevent them being + intercepted. If you enable this option then you must run at least the + CGI portion of ikiwiki over SSL. + * --getctime Pull last changed time for each new page out of the revision control diff --git a/ikiwiki.pl b/ikiwiki.pl index c9b53a031..aa0fd136a 100755 --- a/ikiwiki.pl +++ b/ikiwiki.pl @@ -45,6 +45,7 @@ sub getconfig () { #{{{ "svnpath" => \$config{svnpath}, "adminemail=s" => \$config{adminemail}, "timeformat=s" => \$config{timeformat}, + "sslcookie!" => \$config{sslcookie}, "exclude=s@" => sub { $config{wiki_file_prune_regexp}=qr/$config{wiki_file_prune_regexp}|$_[1]/; }, -- 2.44.0