From f83bb9996b7bd36e8f032e389ad4eb4a3bfe590d Mon Sep 17 00:00:00 2001 From: Steven Barth Date: Mon, 11 Aug 2008 10:43:31 +0000 Subject: [PATCH] libs/web: Add additional sanity checks to session mechanism --- libs/web/luasrc/sauth.lua | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libs/web/luasrc/sauth.lua b/libs/web/luasrc/sauth.lua index d25f287c5..8182679ce 100644 --- a/libs/web/luasrc/sauth.lua +++ b/libs/web/luasrc/sauth.lua @@ -45,14 +45,16 @@ end --- Prepare session storage by creating the session directory. function prepare() luci.fs.mkdir(sessionpath) - luci.fs.chmod(sessionpath, "a-rwx,u+rwx") + if not luci.fs.chmod(sessionpath, "a-rwx,u+rwx") then + error("Security Exception: Session path is not sane!") + end end --- Read a session and return its content. -- @param id Session identifier -- @return Session data function read(id) - if not id then + if not id or not sane() then return end clean() @@ -60,11 +62,18 @@ function read(id) end +--- Check whether Session environment is sane. +-- @return Boolean status +function sane() + return luci.fs.stat(sessionpath, "mode") == "rwx------" +end + + --- Write session data to a session file. -- @param id Session identifier -- @param data Session data function write(id, data) - if not luci.fs.stat(sessionpath) then + if not sane() then prepare() end luci.fs.writefile(sessionpath .. "/" .. id, data) -- 2.25.1