diff options
author | Yorhel <git@yorhel.nl> | 2014-08-29 09:43:00 +0200 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2014-08-29 09:45:15 +0200 |
commit | c27d4e6b509a655d81e36469bb881afc287596e8 (patch) | |
tree | c7a42b5226edaab2e3356592130a6db7caa13a9e /lib | |
parent | 9475bf8ccf1b422402ab70b6cb2276dc3c61e5c6 (diff) |
Strengthen formcode for non-logged-in visitors + CSRF protect login form
formcode is strengthened by including the IP (-prefix) into the hash,
ensuring that the code can't be obtained by someone on a different
network.
I also removed the login form of every page. Felt kinda pointless.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/VNDB/Handler/Users.pm | 1 | ||||
-rw-r--r-- | lib/VNDB/Util/Auth.pm | 2 | ||||
-rw-r--r-- | lib/VNDB/Util/LayoutHTML.pm | 18 | ||||
-rw-r--r-- | lib/VNDB/Util/Misc.pm | 22 |
4 files changed, 27 insertions, 16 deletions
diff --git a/lib/VNDB/Handler/Users.pm b/lib/VNDB/Handler/Users.pm index 5738d964..eb7e03ab 100644 --- a/lib/VNDB/Handler/Users.pm +++ b/lib/VNDB/Handler/Users.pm @@ -142,6 +142,7 @@ sub login { my $frm; if($self->reqMethod eq 'POST') { + return if !$self->authCheckCode; $frm = $self->formValidate( { post => 'usrname', required => 1, minlength => 2, maxlength => 15 }, { post => 'usrpass', required => 1, minlength => 4, maxlength => 64, template => 'asciiprint' }, diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm index c7e8b973..a1fa9b4d 100644 --- a/lib/VNDB/Util/Auth.pm +++ b/lib/VNDB/Util/Auth.pm @@ -165,7 +165,7 @@ sub authGetCode { my $self = shift; my $id = shift; my $time = (shift || time)/3600; # accuracy of an hour - my $uid = pack('N', $self->{_auth} ? $self->{_auth}{id} : 0); + my $uid = encode_utf8($self->{_auth} ? $self->{_auth}{id} : $self->normIP()); return lc substr sha1_hex($self->{form_salt} . $uid . encode_utf8($id||'') . pack('N', int $time)), 0, 16; } diff --git a/lib/VNDB/Util/LayoutHTML.pm b/lib/VNDB/Util/LayoutHTML.pm index 7507d682..6471e8b1 100644 --- a/lib/VNDB/Util/LayoutHTML.pm +++ b/lib/VNDB/Util/LayoutHTML.pm @@ -110,21 +110,11 @@ sub _menu { a href => "$uid/logout", mt '_menu_logout'; end; } else { - h2; - a href => '/u/login', mt '_menu_login'; - end; + h2 mt '_menu_user'; div; - form action => '/nospam?/u/login', id => 'loginform', method => 'post'; - fieldset; - legend 'Login'; - input type => 'text', class => 'text', id => 'username', name => 'usrname'; - input type => 'password', class => 'text', id => 'userpass', name => 'usrpass'; - input type => 'submit', class => 'submit', value => mt '_menu_login'; - end; - end; - p; - lit mt '_menu_loginmsg', '/u/register', '/u/newpass'; - end; + a href => '/u/login', mt '_menu_login'; br; + a href => '/u/newpass', mt '_menu_newpass'; br; + a href => '/u/register', mt '_menu_register'; br; end; } end 'div'; # /menubox diff --git a/lib/VNDB/Util/Misc.pm b/lib/VNDB/Util/Misc.pm index 04114483..7ee0701b 100644 --- a/lib/VNDB/Util/Misc.pm +++ b/lib/VNDB/Util/Misc.pm @@ -6,8 +6,9 @@ use warnings; use Exporter 'import'; use TUWF ':html'; use VNDB::Func; +use Socket 'inet_pton', 'inet_ntop', 'AF_INET6'; -our @EXPORT = qw|filFetchDB ieCheck|; +our @EXPORT = qw|filFetchDB ieCheck normIP|; my %filfields = ( @@ -143,5 +144,24 @@ sub ieCheck { } +# Normalized IP address to use for duplicate detection/throttling. For IPv4 +# this is just the normal address, but for IPv6 this is the /48 subnet, with +# the rest of the address zero'd. +sub normIP { + my $s = shift; + my $ip = $s->reqIP(); + return $ip if $ip !~ /:/; + + # There's a whole bunch of IPv6 manipulation modules on CPAN, but many seem + # quite bloated and still don't offer the functionality to return an IP + # with its mask applied (admittedly not a common operation). The libc + # socket functions will do fine in parsing and formatting IPv6 addresses, + # and the actual masking is quite trivial in binary form. + $ip = inet_pton AF_INET6, $ip; + return '::' if !$ip; + $ip =~ s/^(.{6}).+$/$1 . "\0"x10/e; + return inet_ntop AF_INET6, $ip; +} + 1; |