about summary refs log tree commit diff
path: root/filters
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--filters/simple-authentication.lua34
1 files changed, 21 insertions, 13 deletions
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index cc86b7e..de34d09 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -46,7 +46,7 @@ local secret = "BE SURE TO CUSTOMIZE THIS STRING TO SOMETHING BIG AND RANDOM"
 -- Sets HTTP cookie headers based on post and sets up redirection.
 function authenticate_post()
 	local password = users[post["username"]]
-	local redirect = validate_value(post["redirect"])
+	local redirect = validate_value("redirect", post["redirect"])
 
 	if redirect == nil then
 		not_found()
@@ -60,7 +60,7 @@ function authenticate_post()
 		set_cookie("cgitauth", "")
 	else
 		-- One week expiration time
-		local username = secure_value(post["username"], os.time() + 604800)
+		local username = secure_value("username", post["username"], os.time() + 604800)
 		set_cookie("cgitauth", username)
 	end
 
@@ -77,7 +77,7 @@ function authenticate_cookie()
 		return 1
 	end
 
-	local username = validate_value(get_cookie(http["cookie"], "cgitauth"))
+	local username = validate_value("username", get_cookie(http["cookie"], "cgitauth"))
 	if username == nil or not accepted_users[username:lower()] then
 		return 0
 	else
@@ -92,7 +92,7 @@ function body()
 	html_attr(cgit["login"])
 	html("'>")
 	html("<input type='hidden' name='redirect' value='")
-	html_attr(secure_value(cgit["url"], 0))
+	html_attr(secure_value("redirect", cgit["url"], 0))
 	html("' />")
 	html("<table>")
 	html("<tr><td><label for='username'>Username:</label></td><td><input id='username' name='username' autofocus /></td></tr>")
@@ -194,9 +194,10 @@ end
 local crypto = require("crypto")
 
 -- Returns value of cookie if cookie is valid. Otherwise returns nil.
-function validate_value(cookie)
+function validate_value(expected_field, cookie)
 	local i = 0
 	local value = ""
+	local field = ""
 	local expiration = 0
 	local salt = ""
 	local hmac = ""
@@ -207,15 +208,17 @@ function validate_value(cookie)
 
 	for component in string.gmatch(cookie, "[^|]+") do
 		if i == 0 then
-			value = component
+			field = component
 		elseif i == 1 then
+			value = component
+		elseif i == 2 then
 			expiration = tonumber(component)
 			if expiration == nil then
-				expiration = 0
+				expiration = -1
 			end
-		elseif i == 2 then
-			salt = component
 		elseif i == 3 then
+			salt = component
+		elseif i == 4 then
 			hmac = component
 		else
 			break
@@ -228,18 +231,22 @@ function validate_value(cookie)
 	end
 
 	-- Lua hashes strings, so these comparisons are time invariant.
-	if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
+	if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
+		return nil
+	end
+
+	if expiration == -1 or (expiration ~= 0 and expiration <= os.time()) then
 		return nil
 	end
 
-	if expiration ~= 0 and expiration <= os.time() then
+	if url_decode(field) ~= expected_field then
 		return nil
 	end
 
 	return url_decode(value)
 end
 
-function secure_value(value, expiration)
+function secure_value(field, value, expiration)
 	if value == nil or value:len() <= 0 then
 		return ""
 	end
@@ -247,7 +254,8 @@ function secure_value(value, expiration)
 	local authstr = ""
 	local salt = crypto.hex(crypto.rand.bytes(16))
 	value = url_encode(value)
-	authstr = value .. "|" .. tostring(expiration) .. "|" .. salt
+	field = url_encode(field)
+	authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt
 	authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret)
 	return authstr
 end
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-24 16:23:37 +0000
ude man pages from baseXX.tgzKeith Whitney A number of OpenBSD man pages are currently missing in exman, since they reside in OpenBSD's baseXX.tgz [1]: - help(1) - man(1) - pkg_add(1) - OpenBSD::BaseState(3p) - packages(7) - adduser(8) - afterboot(8) - user(8) - useradd(8) - userdel(8) - userinfo(8) - usermod(8) This patch adds baseXX.tgz to the OpenBSD distfiles, which begrudgingly adds ~330 MiB to the install. I figure this might acceptable since base.txz is similarly fetched for FreeBSD. Since this isn't ideal, I'll look into whether these man pages are intended to be in baseXX.tgz or not. If not, I'll see about changing this upstream, and this patch can be reverted. [1] Lines 2876-2931: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/sets/lists/base/mi?annotate=1.1065 2022-05-08Update to OpenBSD 7.1 2062.73June McEnroe 2021-10-15Update to OpenBSD 7.0 2062.63June McEnroe 2021-08-29Update to Linux man-pages 5.13 2062.53Štěpán Němec 2021-08-26Update to NetBSD 9.2 2062.52June McEnroe 2021-08-26Support DESTDIR in install/uninstallJune McEnroe 2021-08-26Add version number generatorJune McEnroe 2021-08-22Add ISC license headerJune McEnroe 2021-08-22Update to Linux man-pages 5.12Štěpán Němec 2021-06-21Add manuals for macOS 11.3June McEnroe 2021-05-08Update to OpenBSD 6.9June McEnroe 2021-04-26Update to Linux man-pages 5.11June McEnroe 2021-04-26Update to FreeBSD 13.0June McEnroe 2021-01-27Completely rewrite how manuals are fetched and installedJune McEnroe Also add section 6 manuals from NetBSD and OpenBSD! 2020-12-14Update to man-pages-posix 2017-aJune McEnroe 2020-12-14Update to OpenBSD 6.8June McEnroe 2020-12-14Update to NetBSD 9.1June McEnroe 2020-12-14Update to man-pages 5.09June McEnroe 2020-12-14Update to FreeBSD 12.2June McEnroe 2020-06-08Update to OpenBSD 6.7June McEnroe 2020-05-04Add hack for macOS to search extra man sectionsJune McEnroe 2020-05-04Don't clear MANSECTJune McEnroe