YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

[fix] Security risk due to cache full of different uris

Browse source
This commit is contained in:
ljf 2021-07-02 17:40:17 +02:00
parent ca2a605dce
commit 6de4b10e81
1 changed files with 0 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
helpers.lua
View file

@ -277,15 +277,6 @@ function refresh_logged_in()
return is_logged_in return is_logged_in
end end
function log_access(user, uri)
local key = "ACC|"..user.."|"..uri
local block = cache:get(key)
if block == nil then
logger.info("User "..user.."@"..ngx.var.remote_addr.." accesses "..uri)
cache:set(key, "block", 60)
end
end
-- Check whether a user is allowed to access a URL using the `permissions` directive -- Check whether a user is allowed to access a URL using the `permissions` directive
-- of the configuration file -- of the configuration file
function has_access(permission, user) function has_access(permission, user)
@ -308,7 +299,6 @@ function has_access(permission, user)
-- The user has permission to access the content if he is in the list of allowed users -- The user has permission to access the content if he is in the list of allowed users
if element_is_in_table(user, permission["users"]) then if element_is_in_table(user, permission["users"]) then
logger.debug("User "..user.." can access "..ngx.var.host..ngx.var.uri..uri_args_string()) logger.debug("User "..user.." can access "..ngx.var.host..ngx.var.uri..uri_args_string())
log_access(user, ngx.var.host..ngx.var.uri..uri_args_string())
return true return true
else else
logger.debug("User "..user.." cannot access "..ngx.var.uri) logger.debug("User "..user.." cannot access "..ngx.var.uri)