Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

fix(security): use user id instead of session id in session page #8876

Merged
merged 5 commits into from
Jul 29, 2020
Merged

fix(security): use user id instead of session id in session page #8876

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
82e308e
fix(sessions): use user id to logout user
jeremyjaouen Jul 27, 2020
2386868
fix(sessions): use contact id in ajax request
jeremyjaouen Jul 28, 2020
f796641
fix(sessions): correctly sanitize and check contactId
jeremyjaouen Jul 28, 2020
3f88d3f
remove commentary
jeremyjaouen Jul 28, 2020
76f8aeb
adapt commentary
jeremyjaouen Jul 28, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 1 addition & 12 deletions www/api/class/centreon_ldap_synchro.class.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,16 +78,12 @@ public function postRequestLdapSynchro(): bool
$_POST['contactId'] ?? null,
FILTER_VALIDATE_INT
);
$sessionId = filter_var(
$_POST['sessionId'] ?? null,
FILTER_SANITIZE_STRING
);

if (!$this->isLdapEnabled()) {
return $result;
}

if (empty($contactId) && empty($sessionId)) {
if (empty($contactId)) {
jeremyjaouen marked this conversation as resolved.
Show resolved Hide resolved
$this->centreonLog->insertLog(
3, //ldap.log
"LDAP MANUAL SYNC : Error - Chosen contact data are missing."
jeremyjaouen marked this conversation as resolved.
Show resolved Hide resolved
Expand All @@ -105,13 +101,6 @@ public function postRequestLdapSynchro(): bool
WHERE `contact_id` = :contactId'
);
$resUser->bindValue(':contactId', $contactId, PDO::PARAM_INT);
} elseif ($sessionId) {
$resUser = $this->pearDB->prepare(
'SELECT `contact_id`, `contact_name` FROM contact
LEFT JOIN session ON session.user_id = contact.contact_id
WHERE session.session_id = :userSessionId'
);
$resUser->bindValue(':userSessionId', $sessionId, PDO::PARAM_STR);
}
$resUser->execute();
$contact = $resUser->fetch();
Expand Down
20 changes: 10 additions & 10 deletions www/include/options/session/connected_user.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,26 +51,26 @@
FILTER_SANITIZE_STRING
);

$selectedUserSid = filter_var(
$_GET['session'] ?? null, // the sessionId of the chosen user
FILTER_SANITIZE_STRING
$selectedUserId = filter_var(
$_GET['user'] ?? null,
FILTER_VALIDATE_INT
);

$currentPage = filter_var(
$_GET['p'] ?? $_POST['p'] ?? 0,
FILTER_VALIDATE_INT
);

if ($selectedUserSid) {
if ($selectedUserId) {
$msg = new CentreonMsg();
$msg->setTextStyle("bold");
$msg->setTimeOut("3");

switch ($action) {
// logout action
case KICK_USER:
$stmt = $pearDB->prepare("DELETE FROM session WHERE session_id = :userSessionId");
$stmt->bindValue(':userSessionId', $selectedUserSid, \PDO::PARAM_STR);
$stmt = $pearDB->prepare("DELETE FROM session WHERE user_id = :userId");
$stmt->bindValue(':userId', $selectedUserId, \PDO::PARAM_INT);
$stmt->execute();
$msg->setText(_("User kicked"));
break;
Expand Down Expand Up @@ -122,7 +122,7 @@
if ($centreon->user->admin) {
// adding the link to be able to kick the user
$session_data[$cpt]["actions"] =
"<a href='./main.php?p=" . $p . "&o=k&session=" . $r['session_id'] . "'>" .
"<a href='./main.php?p=" . $p . "&o=k&user=" . $r['user_id'] . "'>" .
sc979 marked this conversation as resolved.
Show resolved Hide resolved
"<img src='./img/icons/delete.png' border='0' alt='" . _("Kick User") .
"' title='" . _("Kick User") . "'>" .
"</a>";
Expand All @@ -139,7 +139,7 @@
"<a href='#'>" .
"<img src='./img/icons/refresh.png' border='0' " .
"alt='" . _("Synchronize LDAP") . "' title='" . _("Synchronize LDAP") . "' " .
"onclick='submitSync(" . $currentPage . ", \"" . $r['session_id'] . "\")'>" .
"onclick='submitSync(" . $currentPage . ", \"" . $r['user_id'] . "\")'>" .
"</a>";
} else {
// hiding the synchronization option and details
Expand Down Expand Up @@ -171,7 +171,7 @@
formatDateMoment();

// ask for confirmation when requesting to resynchronize contact data from the LDAP
function submitSync(p, sessionId) {
function submitSync(p, contactId) {
// msg = localized message to be displayed in the confirmation popup
let msg = "<?= _('All this contact sessions will be closed. Are you sure you want to request a ' .
'synchronization at the next login of this Contact ?'); ?>";
Expand All @@ -181,7 +181,7 @@ function submitSync(p, sessionId) {
url: './api/internal.php?object=centreon_ldap_synchro&action=requestLdapSynchro',
type: 'POST',
async: false,
data: {sessionId: sessionId},
data: {contactId: contactId},
success: function(data) {
if (data === true) {
window.location.href = "?p=" + p;
Expand Down