Permalink
Browse files

Merge pull request #341 from tiegz/session_vulnerability

Fix session persistence sql vulnerabilities
  • Loading branch information...
2 parents a72ed49 + 1d57a6c commit e6000bd197bd7f93bf5ffb30db1df2dec8ab686d @binarylogic committed Dec 28, 2012
Showing with 20 additions and 2 deletions.
  1. +2 −2 lib/authlogic/session/session.rb
  2. +18 −0 test/session_test/session_test.rb
@@ -35,8 +35,8 @@ def persist_by_session
# Allow finding by persistence token, because when records are created the session is maintained in a before_save, when there is no id.
# This is done for performance reasons and to save on queries.
record = record_id.nil? ?
- search_for_record("find_by_persistence_token", persistence_token) :
- search_for_record("find_by_#{klass.primary_key}", record_id)
+ search_for_record("find_by_persistence_token", persistence_token.to_s) :
+ search_for_record("find_by_#{klass.primary_key}", record_id.to_s)
self.unauthorized_record = record if record && record.persistence_token == persistence_token
valid?
else
@@ -20,6 +20,24 @@ def test_persist_persist_by_session
assert_equal ben, session.record
assert_equal ben.persistence_token, controller.session["user_credentials"]
end
+
+ def test_persist_persist_by_session_with_session_fixation_attack
+ ben = users(:ben)
+ controller.session["user_credentials"] = 'neo'
+ controller.session["user_credentials_id"] = {:select => " *,'neo' AS persistence_token FROM users WHERE id = #{ben.id} limit 1 -- "}
+ @user_session = UserSession.find
+ assert @user_session.blank?
+ end
+
+ def test_persist_persist_by_session_with_sql_injection_attack
+ ben = users(:ben)
+ controller.session["user_credentials"] = {:select => "ABRA CADABRA"}
+ controller.session["user_credentials_id"] = nil
+ assert_nothing_raised do
+ @user_session = UserSession.find
+ end
+ assert @user_session.blank?
+ end
def test_persist_persist_by_session_with_token_only
ben = users(:ben)

1 comment on commit e6000bd

@mveytsman

Hey, did this patch make into a released version of Authlogic, or is it only available to people pulling directly from github?

Please sign in to comment.