#1 2011-10-14 13:56:22

Sir Rufo
Member
Registered: 2011-10-14
Posts: 24

Small Bug in SQLite3Commons.TSQLRestClientURI.SetUser

I found a small bug in that method.
After executing SetUser with no User and Password (could be used as a Logout) all Session-Values are cleared except the SessionUser-Prop.
So after that, the SessionUser-Prop is still assigned, but no User is logged in.

function TSQLRestClientURI.SetUser(const aUserName, aPassword: RawUTF8): boolean;
var aNonce, aClientNonce, aSessionKey: RawUTF8;
    i: integer;
    U: TSQLAuthUser;
begin
  result := false;
  if self=nil then
    exit;
  fSessionID := 0;
  fSessionIDHexa8 := '';
  fSessionPrivateKey := 0;
  if (self=nil) or (aUserName='') then
    exit;
  FreeAndNil(fSessionUser); // <-- Seems to be a little bit too late, should be freed earlier
  U := TSQLAuthUser.Create;
  try
    ...  

a possible fix is to free the SessionUser before the possible exit

  ...
  fSessionPrivateKey := 0;
  FreeAndNil(fSessionUser); // <-- now, we can exit if needed with no risk
  if (self=nil) or (aUserName='') then
    exit;
  // FreeAndNil(fSessionUser); // <-- Seems to be a little bit too late, should be freed earlier
  U := TSQLAuthUser.Create;
  try
    ...  

Offline

#2 2011-10-14 14:38:12

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,659
Website

Re: Small Bug in SQLite3Commons.TSQLRestClientURI.SetUser

Since fSessionID was set to 0, no session authentication would be possible.
So it was IMHO not a security breach here.

But I've committed the fix, for the code to be less confusing.
See http://synopse.info/fossil/info/196df0b234

Thanks for the report!

Offline

#3 2011-10-14 18:57:31

Sir Rufo
Member
Registered: 2011-10-14
Posts: 24

Re: Small Bug in SQLite3Commons.TSQLRestClientURI.SetUser

Thanx smile

Last edited by Sir Rufo (2011-10-14 18:57:44)

Offline

Board footer

Powered by FluxBB