From: Paul Hänsch Date: Tue, 18 Jun 2019 17:56:13 +0000 (+0200) Subject: Squashed 'cgilite/' changes from 8c2e52f..506e2f9 X-Git-Url: https://git.plutz.net/?a=commitdiff_plain;h=f6663322e3efc841d04a4336f7f9ff55a07e5128;p=clickslide Squashed 'cgilite/' changes from 8c2e52f..506e2f9 506e2f9 Bugfix (security): fail session id check on undetermined condition 2638ffc function for providing file transaction IDs 9e0b693 portable sed invocations git-subtree-dir: cgilite git-subtree-split: 506e2f9f146c13919e65a9bbbd844391b96bbe9d --- diff --git a/file.sh b/file.sh index b6118f5..51ec245 100755 --- a/file.sh +++ b/file.sh @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright 2016 - 2018 Paul Hänsch +# Copyright 2016 - 2019 Paul Hänsch # # This file is part of cgilite. # @@ -59,7 +59,7 @@ FILE(){ # Parse the allowable date formats from Section 3.3.1 of # https://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html HEADER If-Modified-Since \ - | sed -r 's;^[^ ]+, ([0-9]{2}) (...) ([0-9]{4}) (..:..:..) GMT$;\3-\2-\1 \4;; + | sed -E 's;^[^ ]+, ([0-9]{2}) (...) ([0-9]{4}) (..:..:..) GMT$;\3-\2-\1 \4;; s;^[^ ]+, ([0-9]{2})-(...)-([789][0-9]) (..:..:..) GMT$;19\3-\2-\1 \4;; s;^[^ ]+, ([0-9]{2})-(...)-([0-6][0-9]) (..:..:..) GMT$;20\3-\2-\1 \4;; s;^[^ ]+ (...) ([0-9]{2}) (..:..:..) ([0-9]{4})$;\4-\1-\2 \3;; @@ -69,7 +69,7 @@ FILE(){ | xargs -r0 date +%s -ud 2>&- )" - range="$(HEADER Range |sed -nr 's;^bytes=([0-9]+-[0-9]*|-[0-9]+)$;\1;p;q;')" + range="$(HEADER Range |sed -nE 's;^bytes=([0-9]+-[0-9]*|-[0-9]+)$;\1;p;q;')" case "$range" in *-) range="${range}$((file_size - 1))";; -*) [ ${range#-} -le $file_size ] \ diff --git a/session.sh b/session.sh index 25a6598..8ed8d88 100755 --- a/session.sh +++ b/session.sh @@ -41,6 +41,15 @@ timeid(){ checkid(){ grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; } +transid(){ + # transaction ID to modify a given file + local file="$1" + { stat -c %F%i%n%N%s%Y "$file" 2>&- + printf %s "$SESSION_ID" + server_key + } | sha256sum | cut -d\ -f1 +} + update_session(){ local session sid time sig serverkey checksig @@ -53,9 +62,9 @@ update_session(){ checksig="${checksig%% *}" d=$(date +%s) - if [ "$checksig" != "$sig" \ - -o "$time" -lt "$d" \ - -o ! "$(printf %s "$sid" |checkid)" ] 2>&- + if ! [ "$checksig" = "$sig" \ + -a "$time" -ge "$d" \ + -a "$(printf %s "$sid" |checkid)" ] 2>&- then debug Setting up new session sid="$(randomid)" diff --git a/storage.sh b/storage.sh index 0d09b26..10a8029 100755 --- a/storage.sh +++ b/storage.sh @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright 2018 Paul Hänsch +# Copyright 2018, 2019 Paul Hänsch # # This is a file format helper, part of CGIlite. # @@ -74,7 +74,7 @@ STRING=' STRING(){ { [ $# -eq 0 ] && cat || printf %s "$*"; } \ - | sed -r ':X; $!{N;bX;}'"$STRING" + | sed -E ':X; $!{N;bX;}'"$STRING" } UNSTRING=' @@ -89,5 +89,5 @@ UNSTRING=' ' UNSTRING(){ { [ $# -eq 0 ] && cat || printf %s "$*"; } \ - | sed -r "$UNSTRING" + | sed -E "$UNSTRING" }