Hotfix v5.18.3 #2512

PromoFaux · 2023-01-25T18:54:03Z

No description provided.

Signed-off-by: 4n4nk3 <47717886+4n4nk3@users.noreply.github.com>

Fix Improper Session Handling vulnerability of "Remember me for 7 days" functionality

PromoFaux · 2023-01-25T18:54:21Z

Ah of course, the linter would not have run on the advisory PR...

DL6ER · 2023-01-25T21:10:53Z

Just FYI: The Pi-hole v6.0 draft has something achieving the same (but differently) since almost two year. Here, we generate a random token for every successful login and assign a dedicated timeout to it (can be very long -> persistent login). In comparison to this realization, the v6.0 approach also takes the client IP address into account so "stealing" authentication from one device to another isn't possible.

PromoFaux and others added 3 commits January 22, 2023 17:15

Sync master back into development (#2510)

30cddca

Fix insecure persistent login token

d31cf9d

Signed-off-by: 4n4nk3 <47717886+4n4nk3@users.noreply.github.com>

Merge pull request from GHSA-33w4-xf7m-f82m

a998f51

Fix Improper Session Handling vulnerability of "Remember me for 7 days" functionality

PromoFaux added the internal label Jan 25, 2023

PromoFaux requested a review from a team January 25, 2023 18:54

Fix PHP-CS-Fixer complaints

8025a38

yubiuser approved these changes Jan 25, 2023

View reviewed changes

rdwebdesign approved these changes Jan 25, 2023

View reviewed changes

DL6ER approved these changes Jan 25, 2023

View reviewed changes

PromoFaux merged commit fb1b5c3 into master Jan 25, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Hotfix v5.18.3 #2512

Hotfix v5.18.3 #2512

PromoFaux commented Jan 25, 2023

PromoFaux commented Jan 25, 2023

DL6ER commented Jan 25, 2023

Hotfix v5.18.3 #2512

Hotfix v5.18.3 #2512

Conversation

PromoFaux commented Jan 25, 2023

PromoFaux commented Jan 25, 2023

DL6ER commented Jan 25, 2023