This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".
The branch, 6.0 has been updated
via 1e39eebe3e030804ffd7042793742bc6bc4f7805 (commit)
via bdadb7cb3dfe6ffcdd3c27e16fead717cb3babfe (commit)
via 59afb86a3c91317014e16d2995c8a891426a48dc (commit)
via 1c0d761dde66524a8b1044839816ff29a643fa61 (commit)
via d21b4743e78227e7c12bec755d11e58eb7db6fe4 (commit)
via 506c56e728363b952c890d815f5bc7a57a67170d (commit)
from 13cca82afd4ae53cb4a493d022f811588b801300 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=1e39eebe3e030804ffd7042793742bc6bc4f7805
commit 1e39eebe3e030804ffd7042793742bc6bc4f7805
Author: Roland Mas <[email protected]>
Date: Wed Dec 7 15:30:06 2016 +0100
Sanitize input to block XSS attacks
diff --git a/src/common/docman/views/search.php
b/src/common/docman/views/search.php
index 33b7ac4..fcfd997 100644
--- a/src/common/docman/views/search.php
+++ b/src/common/docman/views/search.php
@@ -56,7 +56,7 @@ echo html_ao('div', array('id' => 'docman_search', 'class' =>
'docmanDivIncluded
echo $HTML->openForm(array('method' => 'post', 'action' =>
util_make_uri('/docman/?group_id='.$group_id.'&view=search')));
echo html_ao('div', array('id' => 'docman_search_query_words'));
echo html_e('span', array('id' => 'docman_search_query_label'),
_('Query').utils_requiredField()._(': '));
-echo html_e('input', array('type' => 'text', 'name' => 'textsearch', 'id' =>
'textsearch', 'size' => 48, 'value' => $searchString, 'required' => 'required',
'placeholder' => _('Searched words')));
+echo html_e('input', array('type' => 'text', 'name' => 'textsearch', 'id' =>
'textsearch', 'size' => 48, 'value' =>
stripslashes(htmlspecialchars($searchString)), 'required' => 'required',
'placeholder' => _('Searched words')));
echo html_e('input', array('type' => 'submit', 'value' => _('Search')));
echo html_ac(html_ap() - 1);
echo html_ao('div', array('id' => 'docman_search_query_ckeckbox'));
diff --git a/src/www/activity/index.php b/src/www/activity/index.php
index 8f412b9..cbc1f2d 100644
--- a/src/www/activity/index.php
+++ b/src/www/activity/index.php
@@ -50,7 +50,7 @@ if (!$received_begin || $received_begin==0) {
$rendered_begin = strftime($date_format, $begin);
} else {
$begin = mktime(0, 0, 0, $tmp['tm_mon']+1, $tmp['tm_mday'],
$tmp['tm_year'] + 1900);
- $rendered_begin = $received_begin;
+ $rendered_begin = strftime($date_format, $received_begin);
}
}
if ($begin < 0) {
@@ -68,7 +68,7 @@ if (!$received_end || $received_end == 0) {
$rendered_end = strftime($date_format, $end);
} else {
$end = mktime(23, 59, 59, $tmp['tm_mon']+1, $tmp['tm_mday'],
$tmp['tm_year'] + 1900);
- $rendered_end = $received_end;
+ $rendered_end = strftime($date_format, $received_end);
}
}
diff --git
a/src/www/search/include/renderers/AdvancedSearchHtmlSearchRenderer.class.php
b/src/www/search/include/renderers/AdvancedSearchHtmlSearchRenderer.class.php
index 10e3d44..888d599 100644
---
a/src/www/search/include/renderers/AdvancedSearchHtmlSearchRenderer.class.php
+++
b/src/www/search/include/renderers/AdvancedSearchHtmlSearchRenderer.class.php
@@ -198,11 +198,11 @@ class AdvancedSearchHtmlSearchRenderer extends
HtmlGroupSearchRenderer {
$result .= $renderer->getRows();
$result .= $HTML->listTableBottom();
} elseif(method_exists($renderer, 'getSections') &&
(count($renderer->getSections($this->groupId)) == 0)) {
- $result .= '<p>'.sprintf(_('No matches found for
“%s”'), $this->words);
+ $result .= '<p>'.sprintf(_('No matches found for “%s”'),
stripslashes(htmlspecialchars($this->words)));
$result .= _(' - ');
$result .= _('No sections available (check your
permissions)').'</p>';
} else {
- $result .= '<p>'.sprintf(_('No matches found for
“%s”'), $this->words).'</p>';
+ $result .= '<p>'.sprintf(_('No matches found for “%s”'),
stripslashes(htmlspecialchars($this->words))).'</p>';
}
return $result;
}
diff --git a/src/www/search/index.php b/src/www/search/index.php
index cdec69f..decf5dd 100644
--- a/src/www/search/index.php
+++ b/src/www/search/index.php
@@ -34,7 +34,7 @@ $group_project_id = getIntFromRequest('group_project_id');
$words = getStringFromRequest('words');
$type_of_search = getStringFromRequest('type_of_search');
-$exact = getStringFromRequest('exact', 1);
+$exact = getIntFromRequest('exact', 1);
// Support for short aliases
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=bdadb7cb3dfe6ffcdd3c27e16fead717cb3babfe
commit bdadb7cb3dfe6ffcdd3c27e16fead717cb3babfe
Author: Roland Mas <[email protected]>
Date: Fri Dec 2 14:08:57 2016 +0100
Added testsuite for session improvements
diff --git a/tests/func/10_Site/loginTest.php b/tests/func/10_Site/loginTest.php
index 4489eb6..6a77cdd 100644
--- a/tests/func/10_Site/loginTest.php
+++ b/tests/func/10_Site/loginTest.php
@@ -54,6 +54,7 @@ class LoginProcess extends FForge_SeleniumTestCase
$this->logout();
}
$this->clickAndWait("link=Log In");
+ $this->assertTrue($this->isTextPresent("Log In"));
// Check that current URL's base is the same as ROOT
// If the forge redirects to other URL than the one
@@ -67,34 +68,35 @@ class LoginProcess extends FForge_SeleniumTestCase
$this->type("form_loginname", FORGE_ADMIN_USERNAME);
$this->type("form_pw", FORGE_ADMIN_PASSWORD);
- $this->click("login");
- $this->waitForPageToLoad("30000");
+ $this->clickAndWait("login");
+ $this->assertTrue($this->isTextPresent("Forge Admin"));
+ $this->assertTrue($this->isTextPresent("Log Out"));
+ $this->open( ROOT );
$this->assertTrue($this->isTextPresent("Forge Admin"));
$this->assertTrue($this->isTextPresent("Log Out"));
$this->logout();
- // Verify that logout is succesfull
+ $this->open( ROOT );
+ // Verify that logout is succesful
$this->assertTrue($this->isTextPresent("Log In"));
// Test with an empty password.
$this->open( ROOT );
- $this->click("link=Log In");
- $this->waitForPageToLoad("30000");
+ $this->clickAndWait("link=Log In");
+ $this->assertTrue($this->isTextPresent("Log In"));
$this->type("form_loginname", FORGE_ADMIN_USERNAME);
$this->type("form_pw", "");
$this->click("login");
- sleep (1);
+ sleep(1);
$this->assertTrue($this->isTextPresent("Login"));
$this->assertFalse($this->isTextPresent("Forge Admin"));
$this->assertTrue($this->isTextPresent("Log In"));
// Test with a wrong password.
$this->open( ROOT );
- $this->click("link=Log In");
- $this->waitForPageToLoad("30000");
+ $this->clickAndWait("link=Log In");
$this->type("form_loginname", FORGE_ADMIN_USERNAME);
$this->type("form_pw", "awrongpassword");
- $this->click("login");
- $this->waitForPageToLoad("30000");
+ $this->clickAndWait("login");
$this->assertTrue($this->isTextPresent("Invalid Password Or
User Name"));
$this->assertFalse($this->isTextPresent("Forge Admin"));
$this->assertTrue($this->isTextPresent("Log In"));
@@ -106,20 +108,17 @@ class LoginProcess extends FForge_SeleniumTestCase
$this->clickAndWait("link=Site Admin");
$this->clickAndWait("link=Display Full User List/Edit Users");
-
$this->click("//table/tbody/tr/td/a[contains(@href,'useredit.php') and
contains(.,'(admin)')]/../..//a[contains(@href, 'passedit.php?user_id=')]");
- $this->waitForPageToLoad("30000");
+
$this->clickAndWait("//table/tbody/tr/td/a[contains(@href,'useredit.php') and
contains(.,'(admin)')]/../..//a[contains(@href, 'passedit.php?user_id=')]");
$this->type("passwd", FORGE_OTHER_PASSWORD);
$this->type("passwd2", FORGE_OTHER_PASSWORD);
$this->clickAndWait("submit");
$this->logout();
$this->open( ROOT );
- $this->click("link=Log In");
- $this->waitForPageToLoad("30000");
+ $this->clickAndWait("link=Log In");
$this->type("form_loginname", FORGE_ADMIN_USERNAME);
$this->type("form_pw", FORGE_OTHER_PASSWORD);
- $this->click("login");
- $this->waitForPageToLoad("30000");
+ $this->clickAndWait("login");
$this->assertTrue($this->isTextPresent("Forge Admin"));
$this->assertTrue($this->isTextPresent("Log Out"));
@@ -141,14 +140,44 @@ class LoginProcess extends FForge_SeleniumTestCase
$this->logout();
$this->open( ROOT );
- $this->click("link=Log In");
- $this->waitForPageToLoad();
+ $this->clickAndWait("link=Log In");
$this->type("form_loginname", FORGE_ADMIN_USERNAME);
$this->type("form_pw", FORGE_ADMIN_PASSWORD);
- $this->click("login");
- $this->waitForPageToLoad();
+ $this->clickAndWait("login");
+ $this->assertTrue($this->isTextPresent("Forge Admin"));
+ $this->assertTrue($this->isTextPresent("Log Out"));
+
+ // Test session expiration
+ $this->open( ROOT );
+ if (!$this->isTextPresent("Log In")) {
+ $this->logout();
+ }
+ $this->clickAndWait("link=Log In");
+ $this->type("form_loginname", FORGE_ADMIN_USERNAME);
+ $this->type("form_pw", FORGE_ADMIN_PASSWORD);
+ $this->clickAndWait("login");
$this->assertTrue($this->isTextPresent("Forge Admin"));
$this->assertTrue($this->isTextPresent("Log Out"));
+ $this->open( ROOT );
+ $this->assertTrue($this->isTextPresent("Forge Admin"));
+ $this->assertTrue($this->isTextPresent("Log Out"));
+ // Shorten session validity delay
+ $this->changeConfig("[core]\nsession_expire = 10\n");
+ // Ensure session cookie is refreshed
+ sleep(5);
+ $this->open( ROOT );
+ sleep(5);
+ $this->open( ROOT );
+ sleep(5);
+ $this->open( ROOT );
+ sleep(5);
+ $this->assertTrue($this->isTextPresent("Forge Admin"));
+ $this->assertTrue($this->isTextPresent("Log Out"));
+ // Now ensure that the session expires
+ sleep(15);
+ $this->open( ROOT );
+ $this->assertFalse($this->isTextPresent("Forge Admin"));
+ $this->assertFalse($this->isTextPresent("Log Out"));
}
}
diff --git a/tests/func_tests.sh b/tests/func_tests.sh
index e3ed103..fda84e6 100755
--- a/tests/func_tests.sh
+++ b/tests/func_tests.sh
@@ -161,10 +161,11 @@ define('INSTALL_OS', getenv('INSTALL_OS'));
// These are deduced from the previous definitions.
// URL to access the application
-define ('URL', 'http://'.HOST.'/');
+define ('URL', 'https://'.HOST.'/');
// WSDL of the forges SOAP API
-define ('WSDL_URL', URL.'soap/index.php?wsdl');
+// define ('WSDL_URL', URL.'soap/index.php?wsdl');
+define ('WSDL_URL', 'http://'.HOST.'/soap/index.php?wsdl');
EOF
echo "Starting Selenium"
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=59afb86a3c91317014e16d2995c8a891426a48dc
commit 59afb86a3c91317014e16d2995c8a891426a48dc
Author: Roland Mas <[email protected]>
Date: Thu Dec 1 16:45:51 2016 +0100
Added session expiration (1 hour by default)
diff --git a/src/common/include/AuthPlugin.class.php
b/src/common/include/AuthPlugin.class.php
index 0445e2c..4082f67 100644
--- a/src/common/include/AuthPlugin.class.php
+++ b/src/common/include/AuthPlugin.class.php
@@ -85,6 +85,9 @@ abstract class ForgeAuthPlugin extends Plugin {
case 'close_auth_session':
$this->closeAuthSession($params);
break;
+ case 'refresh_auth_session':
+ $this->refreshAuthSession($params);
+ break;
default:
// Forgot something
}
@@ -226,6 +229,10 @@ abstract class ForgeAuthPlugin extends Plugin {
}
}
+ function refreshAuthSession() {
+ $this->setSessionCookie();
+ }
+
protected function unsetSessionCookie() {
session_set_cookie($this->getCookieName(), '');
}
diff --git a/src/common/include/pre.php b/src/common/include/pre.php
index 54ef36d..92ea37b 100644
--- a/src/common/include/pre.php
+++ b/src/common/include/pre.php
@@ -282,11 +282,13 @@ if (getenv('FUSIONFORGE_NO_DB') != 'true' and
forge_get_config('database_name')
// If logged in, set up a $LUSER var referencing
// the logged in user's object
// and setup theme
+ // and refresh session cookies
if (session_loggedin()) {
$LUSER =& session_get_user();
$use_tooltips = $LUSER->usesTooltips();
header('Cache-Control: private');
$x_theme = $LUSER->setUpTheme();
+ session_refresh();
} else {
$use_tooltips = 1;
$x_theme = forge_get_config('default_theme');
diff --git a/src/common/include/session.php b/src/common/include/session.php
index 74ec39e..7618e28 100644
--- a/src/common/include/session.php
+++ b/src/common/include/session.php
@@ -755,6 +755,11 @@ function session_continue($sessionKey) {
return true;
}
+function session_refresh() {
+ $params = array();
+ plugin_hook('refresh_auth_session', $params);
+}
+
function setup_tz_from_context() {
$user = session_get_user();
if (!is_object($user) || $user->isError()) {
diff --git a/src/etc/config.ini.d/defaults.ini
b/src/etc/config.ini.d/defaults.ini
index 807702e..e1fb9b6 100644
--- a/src/etc/config.ini.d/defaults.ini
+++ b/src/etc/config.ini.d/defaults.ini
@@ -89,6 +89,7 @@ allow_project_without_template = yes
use_webdav = no
user_default_shell = "/bin/bash"
user_display_contact_info = yes
+session_expire = 3600
scm_single_host = yes
system_user=fusionforge
diff --git a/src/plugins/authbuiltin/common/AuthBuiltinPlugin.class.php
b/src/plugins/authbuiltin/common/AuthBuiltinPlugin.class.php
index 604f3e8..4369062 100644
--- a/src/plugins/authbuiltin/common/AuthBuiltinPlugin.class.php
+++ b/src/plugins/authbuiltin/common/AuthBuiltinPlugin.class.php
@@ -45,6 +45,7 @@ class AuthBuiltinPlugin extends ForgeAuthPlugin {
// get_extra_roles - add new roles not necessarily stored in
the database
// restrict_roles - filter out unwanted roles
$this->_addHook('close_auth_session');
+ $this->_addHook("refresh_auth_session");
$this->declareConfigVars();
}
diff --git a/src/plugins/authldap/common/AuthLDAPPlugin.class.php
b/src/plugins/authldap/common/AuthLDAPPlugin.class.php
index a3f96f4..632c258 100644
--- a/src/plugins/authldap/common/AuthLDAPPlugin.class.php
+++ b/src/plugins/authldap/common/AuthLDAPPlugin.class.php
@@ -48,6 +48,7 @@ into the FusionForge database.");
$this->_addHook("fetch_authenticated_user");
$this->_addHook("sync_account_info");
$this->_addHook("close_auth_session");
+ $this->_addHook("refresh_auth_session");
$this->ldap_conn = false;
$this->saved_login = '';
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=1c0d761dde66524a8b1044839816ff29a643fa61
commit 1c0d761dde66524a8b1044839816ff29a643fa61
Author: Roland Mas <[email protected]>
Date: Tue Nov 29 11:32:56 2016 +0100
Force secure session cookies when relevant
diff --git a/src/common/include/session.php b/src/common/include/session.php
index 9bd3e38..74ec39e 100644
--- a/src/common/include/session.php
+++ b/src/common/include/session.php
@@ -346,10 +346,8 @@ function session_cookie($name, $value, $domain='',
$expiration=0) {
if ($expiration) {
$expiration = time() + $expiration;
}
- /* evolvis: force secure (SSL-only) session cookies */
- //$force_secure = true;
- /* not (yet?) in FusionForge */
- $force_secure = false;
+ /* force secure (SSL-only) session cookies if relevant */
+ $force_secure = forge_get_config('use_ssl');
if ($force_secure && !session_issecure()) {
return;
}
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=d21b4743e78227e7c12bec755d11e58eb7db6fe4
commit d21b4743e78227e7c12bec755d11e58eb7db6fe4
Author: Roland Mas <[email protected]>
Date: Thu Dec 1 15:41:05 2016 +0100
Disable directory listing on FusionForge URLs
diff --git a/src/etc/httpd.conf.d/vhost-main.inc
b/src/etc/httpd.conf.d/vhost-main.inc
index d782cd3..8061c24 100644
--- a/src/etc/httpd.conf.d/vhost-main.inc
+++ b/src/etc/httpd.conf.d/vhost-main.inc
@@ -18,6 +18,7 @@ SetEnv FF__core__config_path "${FF__core__config_path}"
<Directory ${FF__core__source_path}/www>
Options Indexes FollowSymlinks
AllowOverride All
+ Options -Indexes
# define access restrictions for the main site
Include ${FF__core__config_path}/httpd.conf.d/auth-main.inc
@@ -65,6 +66,7 @@ SetEnv FF__core__config_path "${FF__core__config_path}"
AllowOverride All
Include ${FF__core__config_path}/httpd.conf.d/auth-main.inc
+ Options -Indexes
</Directory>
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=506c56e728363b952c890d815f5bc7a57a67170d
commit 506c56e728363b952c890d815f5bc7a57a67170d
Author: Roland Mas <[email protected]>
Date: Thu Dec 1 16:03:04 2016 +0100
Check that submits come from correct forms
By tweaking the "double-submit" prevention logic, we can ensure that all
submits actually come from real forms (and that the form was displayed
less than 10 minutes ago), and so prevent CSRF attacks.
diff --git a/src/common/include/forms.php b/src/common/include/forms.php
index dfd6ff5..876f80a 100644
--- a/src/common/include/forms.php
+++ b/src/common/include/forms.php
@@ -56,14 +56,14 @@ function form_generate_key() {
*
*/
function form_key_is_valid($key) {
- // Fail back mode if key is empty. This can happen when there is
- // a problem with the generation. In this case, it may be better
- // to disable this check instead of blocking all the application.
+ // Fail if key is empty
if (empty($key))
- return true;
+ return false;
db_begin();
- $res = db_query_params ('SELECT * FROM form_keys WHERE key=$1 and
is_used=0 FOR UPDATE', array ($key));
+ $res = db_query_params ('SELECT * FROM form_keys WHERE key=$1 and
is_used=0 AND creation_date > $2 FOR UPDATE',
+ array ($key,
+ time()-600));
if (!$res || !db_numrows($res)) {
db_rollback();
return false;
-----------------------------------------------------------------------
Summary of changes:
src/common/docman/views/search.php | 2 +-
src/common/include/AuthPlugin.class.php | 7 +++
src/common/include/forms.php | 10 ++--
src/common/include/pre.php | 2 +
src/common/include/session.php | 11 ++--
src/etc/config.ini.d/defaults.ini | 1 +
src/etc/httpd.conf.d/vhost-main.inc | 2 +
.../authbuiltin/common/AuthBuiltinPlugin.class.php | 1 +
.../authldap/common/AuthLDAPPlugin.class.php | 1 +
src/www/activity/index.php | 4 +-
.../AdvancedSearchHtmlSearchRenderer.class.php | 4 +-
src/www/search/index.php | 2 +-
tests/func/10_Site/loginTest.php | 69 +++++++++++++++-------
tests/func_tests.sh | 5 +-
14 files changed, 84 insertions(+), 37 deletions(-)
hooks/post-receive
--
FusionForge
_______________________________________________
Fusionforge-commits mailing list
[email protected]
http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-commits
