0c450818052cb799efeab3d7d49c800378bcf3ab angie Mon Dec 12 13:57:55 2016 -0800 Without login.cookieSalt, don't even check ID cookie vs. gbMembers.idx because that could vary from system to system. refs #17327 diff --git src/hg/lib/wikiLink.c src/hg/lib/wikiLink.c index 70d3b92..94f8949 100644 --- src/hg/lib/wikiLink.c +++ src/hg/lib/wikiLink.c @@ -175,94 +175,69 @@ cookieStrings = NULL; slAddHead(&cookieStrings, wikiLinkLoggedInCookieString(0, NULL)); slAddHead(&cookieStrings, wikiLinkUserNameCookieString(NULL)); return cookieStrings; } static char *getLoginUserName() /* Get the (CGI-decoded) value of the login userName cookie. */ { char *userName = cloneString(findCookieData(wikiLinkUserNameCookie())); if (isNotEmpty(userName)) cgiDecodeFull(userName, userName, strlen(userName)); return userName; } -static boolean loginIsRemoteClient() -/* Return TRUE if wikiHost is non-empty and not the same as this host. */ -{ -char *wikiHost = cfgOption(CFG_WIKI_HOST); -return (isNotEmpty(wikiHost) && - differentString(wikiHost, "HTTPHOST") && - differentString(wikiHost, hHttpHost())); -} - -static boolean idxIsValid(char *userName, uint idx) -/* If login is local, return TRUE if idx is the same as hgcentral.gbMembers.idx for userName. - * If remote, just return TRUE. */ -{ -if (loginIsRemoteClient()) - return TRUE; -// Look up idx for userName in gbMembers and compare to idx -struct sqlConnection *conn = hConnectCentral(); -char query[512]; -sqlSafef(query, sizeof(query), "select idx from gbMembers where userName='%s'", userName); -uint memberIdx = (uint)sqlQuickLongLong(conn, query); -hDisconnectCentral(&conn); -return (idx == memberIdx); -} - struct slName *loginValidateCookies() /* Return possibly empty list of cookie strings for the caller to set. * If login cookies are obsolete but (formerly) valid, the results sets updated cookies. * If login cookies are present but invalid, the result deletes/expires the cookies. * Otherwise returns NULL (no change to cookies). */ { alreadyAuthenticated = TRUE; authenticated = FALSE; char *userName = getLoginUserName(); char *cookieKey = NULL; uint cookieIdx = getCookieIdxOrKey(&cookieKey); char *cookieSalt = getLoginCookieSalt(); if (userName && (cookieIdx > 0 || isNotEmpty(cookieKey))) { - if (cookieSalt) + if (isNotEmpty(cookieSalt)) { if (cookieKey && sameString(makeUserKey(userName, cookieSalt), cookieKey)) { authenticated = TRUE; } // BEGIN TODO: remove in Feb 2017 else { - // For the first couple months, also accept gbMembers.idx to smooth the transition. - if (idxIsValid(userName, cookieIdx)) - { + // For the first couple months, accept any value of cookieKey like we used to. + // It's possible for different systems to have different gbMembers.idx for the + // same userName, so checking gbMembers.idx would risk logging some users out + // every time they switch systems. authenticated = TRUE; // Create and store a new key, and make a cookie string with the new key. char *newKey = makeUserKey(userName, cookieSalt); slAddHead(&cookieStrings, wikiLinkLoggedInCookieString(cookieIdx, newKey)); slAddHead(&cookieStrings, wikiLinkUserNameCookieString(userName)); } - } // END TODO: remove in Feb 2017 } else { - // hg.conf doesn't specify login.cookieSalt -- check memberIdx if local, - // blindly accept if remote. - authenticated = idxIsValid(userName, cookieIdx); + // hg.conf doesn't specify login.cookieSalt -- no checking. + authenticated = TRUE; } if (!authenticated) { // Invalid key; delete cookies slAddHead(&cookieStrings, wikiLinkLoggedInCookieString(0, NULL)); slAddHead(&cookieStrings, wikiLinkUserNameCookieString(NULL)); } } return cookieStrings; } char *wikiLinkHost() /* Return the wiki host specified in hg.conf, or NULL. Allocd here. * Returns hostname from http request if hg.conf entry is HTTPHOST. * */