Small Bug in SQLite3Commons.TSQLRestClientURI.SetUser

Sir Rufo · 2011-10-14 13:56:22

I found a small bug in that method.
After executing SetUser with no User and Password (could be used as a Logout) all Session-Values are cleared except the SessionUser-Prop.
So after that, the SessionUser-Prop is still assigned, but no User is logged in.

function TSQLRestClientURI.SetUser(const aUserName, aPassword: RawUTF8): boolean;
var aNonce, aClientNonce, aSessionKey: RawUTF8;
    i: integer;
    U: TSQLAuthUser;
begin
  result := false;
  if self=nil then
    exit;
  fSessionID := 0;
  fSessionIDHexa8 := '';
  fSessionPrivateKey := 0;
  if (self=nil) or (aUserName='') then
    exit;
  FreeAndNil(fSessionUser); // <-- Seems to be a little bit too late, should be freed earlier
  U := TSQLAuthUser.Create;
  try
    ...

a possible fix is to free the SessionUser before the possible exit

  ...
  fSessionPrivateKey := 0;
  FreeAndNil(fSessionUser); // <-- now, we can exit if needed with no risk
  if (self=nil) or (aUserName='') then
    exit;
  // FreeAndNil(fSessionUser); // <-- Seems to be a little bit too late, should be freed earlier
  U := TSQLAuthUser.Create;
  try
    ...

ab · 2011-10-14 14:38:12

Since fSessionID was set to 0, no session authentication would be possible.
So it was IMHO not a security breach here.

But I've committed the fix, for the code to be less confusing.
See http://synopse.info/fossil/info/196df0b234

Thanks for the report!

Sir Rufo · 2011-10-14 18:57:31

Thanx

Last edited by Sir Rufo (2011-10-14 18:57:44)

mORMot Open Source

#1 2011-10-14 13:56:22

Small Bug in SQLite3Commons.TSQLRestClientURI.SetUser

#2 2011-10-14 14:38:12

Re: Small Bug in SQLite3Commons.TSQLRestClientURI.SetUser

#3 2011-10-14 18:57:31

Re: Small Bug in SQLite3Commons.TSQLRestClientURI.SetUser

Board footer