RocketGit

catalinux / rocketgit (public) (License: Affero GPLv3) (since 2015-03-19) (hash sha1)

Main RocketGit repo

Clone URLs: https://rocketgit.com/user/catalinux/rocketgit ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit git://git.rocketgit.com/user/catalinux/rocketgit

List of commits:

Subject	Hash	Author	Date (UTC)
Do not use UA when building anti-CSRF token. Think about plugins which change the UA at every request	7346fceeff8bea1eaa500dd3ce1677deb84f8b77	Catalin(ux) M. BOIE	2017-03-21 16:36:46
Do not create a namespace anymore if the user has the rights to push	13f8037ba76b57ae919758609c523dcbb6588745	Catalin(ux) M. BOIE	2017-03-19 19:44:07
Docker improvements	c3c0f8ff3f5a2f9acfeea2e9bbf271cfeae4a8bd	Catalin(ux) M. BOIE	2017-03-19 19:43:25
Small changes regarding more debugging in several places	03407e5f7562ac997612c56fd20fe067162ea8de	Catalin(ux) M. BOIE	2017-03-19 19:42:58
Some improvements for comparison	e3a06443fba2c22009f0bde4ea9c3f201a9803cb	Catalin(ux) M. BOIE	2017-03-19 19:41:53
Functional tests improvements	6b82e5a1eaf800a15e42840bc9c889e32a7532f0	Catalin(ux) M. BOIE	2017-03-19 19:40:21
Do not report security violations generated by the functional tests	6028674aa0153d4bc1c46999516f87a6019df6d2	Catalin(ux) M. BOIE	2017-03-19 19:38:23
Admin init form: pass next to user to be able to be cached by browsers	c3d9974e92a03a3ec4d093188842330bb7a0cad0	Catalin(ux) M. BOIE	2017-03-17 23:41:10
SELinux: Allow php-fpm to create log files	94962a7b15e91acfa609663185ceab365a89ac98	Catalin(ux) M. BOIE	2017-03-17 23:39:01
Allow anonymous push when using git:// or ssh://	46d947874f12b7ac7f1ac3fa552f703c498082b2	Catalin(ux) M. BOIE	2017-03-02 22:17:48
tests: now we keep the state	c75b10325c24e32b699f22a13c9374e80fe45a2b	Catalin(ux) M. BOIE	2017-03-02 22:05:43
No need anymore for usr/lib	58a51962e9025457419fac5051d0840732aeff6c	Catalin(ux) M. BOIE	2017-03-02 21:34:11
If nothing found in a folder, xargs will fail	9ea8a34050bc2ce4c53e942834f34eaffa5d4f06	Catalin(ux) M. BOIE	2017-03-02 19:50:55
Bump version to 0.66	4f63811dd434780c4342c087757b6003a9c20c9e	Catalin(ux) M. BOIE	2017-03-02 17:54:40
Minor change on how do we call fgetcsv	175715a4739e8a33cbd939d847eed9d3d24e24be	Catalin(ux) M. BOIE	2017-03-02 17:53:57
Cosmetic changes for comparison	780b0e99bf591c5081eed9ca9cbe2623d3cab22c	Catalin(ux) M. BOIE	2017-03-02 17:53:29
Added a custom csv line parsing (partial) for when the program will be re-written in C	746560420021d148c58578af77c9f7bb05cc5918	Catalin(ux) M. BOIE	2017-03-02 17:53:05
Do not test doit != 1 because it can be a bigger number (thanks w3af!)	214dfb3cd1c7e5a3b5a0353a4c9f9b63cb6545f2	Catalin(ux) M. BOIE	2017-03-02 17:51:56
TODO add/delete	1c8ffca4d65be53acdfe21d4c3c0888707f5d10b	Catalin(ux) M. BOIE	2017-03-02 17:50:28
Disable TRACE command in Apache sample conf	3c59e1ef1c87689940eb2bc0c73895101815471b	Catalin(ux) M. BOIE	2017-03-02 17:47:13

Commit 7346fceeff8bea1eaa500dd3ce1677deb84f8b77 - Do not use UA when building anti-CSRF token. Think about plugins which change the UA at every request
Author: Catalin(ux) M. BOIE
Author date (UTC): 2017-03-21 16:36
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2017-03-21 16:40
Parent(s): 13f8037ba76b57ae919758609c523dcbb6588745
Signing key:
Tree: 44c1ce66567acb691158ed2c84e8e889a51dca3a

File	Lines added	Lines deleted
inc/token.inc.php	5	7
tests/http_csrf.php	0	30

File inc/token.inc.php changed (mode: 100644) (index 8283ef5..5e18f4a)
...	...	function rg_token_get_master($db)
101	101	function rg_token_valid($db, $rg, $tag, $double_allowed)	function rg_token_valid($db, $rg, $tag, $double_allowed)
102	102	{	{
103	103	rg_prof_start("token_valid");	rg_prof_start("token_valid");
104		rg_log_enter("token_valid: sid=" . $rg['sid'] . " token=" . $rg['token']
105		. " ua=" . $rg['ua'] . ' tag=' . $tag);
	104		rg_log_enter('token_valid: sid=' . $rg['sid'] . ' token=' . $rg['token']
	105		. ' tag=' . $tag);
106	106
107	107	$ret = FALSE;	$ret = FALSE;
108	108	while (1) {	while (1) {

...	...	function rg_token_valid($db, $rg, $tag, $double_allowed)
114	114	}	}
115	115	$rg['token'] = substr($rg['token'], 0, 32);	$rg['token'] = substr($rg['token'], 0, 32);
116	116
117		// We have to check first because of ua
118	117	$key = rg_token_get_master($db);	$key = rg_token_get_master($db);
119	118	if ($key === FALSE)	if ($key === FALSE)
120	119	break;	break;

...	...	function rg_token_valid($db, $rg, $tag, $double_allowed)
122	121	$rand = substr($rg['token'], 0, 16);	$rand = substr($rg['token'], 0, 16);
123	122	$sign = substr($rg['token'], 16, 16);	$sign = substr($rg['token'], 16, 16);
124	123
125		$data = $rand . $rg['sid'] . $rg['ua'] . $tag;
	124		$data = $rand . $rg['sid'] . $tag;
126	125	$hash = hash_hmac('sha512', $data, $key);	$hash = hash_hmac('sha512', $data, $key);
127	126	if ($hash === FALSE) {	if ($hash === FALSE) {
128	127	rg_token_set_error("cannot compute hmac");	rg_token_set_error("cannot compute hmac");

...	...	function rg_token_valid($db, $rg, $tag, $double_allowed)
213	212	*/	*/
214	213	function rg_token_get($db, $rg, $tag)	function rg_token_get($db, $rg, $tag)
215	214	{	{
216		rg_log_enter('token_get: sid=' . $rg['sid'] . ' tag=' . $tag
217		. ' ua=' . $rg['ua']);
	215		rg_log_enter('token_get: sid=' . $rg['sid'] . ' tag=' . $tag);
218	216
219	217	$ret = FALSE;	$ret = FALSE;
220	218	while (1) {	while (1) {

...	...	function rg_token_get($db, $rg, $tag)
234	232
235	233	// Add a random string to protect against BREACH attack	// Add a random string to protect against BREACH attack
236	234	$rand = rg_id(16);	$rand = rg_id(16);
237		$data = $rand . $rg['sid'] . $rg['ua'] . $tag;
	235		$data = $rand . $rg['sid'] . $tag;
238	236	$sign = hash_hmac('sha512', $data, $sign_key);	$sign = hash_hmac('sha512', $data, $sign_key);
239	237	if ($sign === FALSE) {	if ($sign === FALSE) {
240	238	rg_token_set_error("cannot compute hmac");	rg_token_set_error("cannot compute hmac");

File tests/http_csrf.php changed (mode: 100644) (index ea73956..4c5f046)
...	...	if ($r === FALSE) {
30	30	exit(1);	exit(1);
31	31	}	}
32	32
33		rg_log_enter("Loading suggestion form (ua test)");
34		test_set_ua("user-agent-1");
35		test_set_referer($test_url);
36		$data = array();
37		$headers = array("Cookie: sid=" . $good_sid);
38		$r = do_req($test_url . "/op/suggestion?t=load_suggestion_form_ua", $data, $headers);
39		if (!stristr($r['body'], "action=\"/op/suggestion\"")) {
40		rg_log("Cannot load form! See above.");
41		exit(1);
42		}
43		$good_token = $r['tokens']['suggestion'];
44		rg_log_exit();
45
46		rg_log_enter("Try posting with different user-agent: should not work");
47		test_set_ua("user-agent-2");
48		$data = array(
49		"doit" => 1,
50		"token" => $good_token,
51		"suggestion" => "bla bla bla<xss>"
52		);
53		$headers = array("Cookie: sid=" . $good_sid);
54		$r = do_req($test_url . "/op/suggestion?t=post_suggestion_form_diff_ua", $data, $headers);
55		if (!stristr($r['body'], "invalid token")) {
56		rg_log("Seems I could add a suggestion bypassing CSRF"
57		. " protection based on user-agent! See above.");
58		exit(1);
59		}
60		rg_log_exit();
61
62
63	33	rg_log_enter("Loading suggestion form (referer test)");	rg_log_enter("Loading suggestion form (referer test)");
64	34	test_set_ua("user-agent-1");	test_set_ua("user-agent-1");
65	35	test_set_referer($test_url);	test_set_referer($test_url);

Hints:
Before first commit, do not forget to setup your git environment:

git config --global user.name "your_name_here"
git config --global user.email "your@email_here"

Clone this repository using HTTP(S):

git clone https://rocketgit.com/user/catalinux/rocketgit

Clone this repository using ssh (do not forget to upload a key first):

git clone ssh://rocketgit@ssh.rocketgit.com/user/catalinux/rocketgit

Clone this repository using git:

git clone git://git.rocketgit.com/user/catalinux/rocketgit

You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:

... clone the repository ...
... make some changes and some commits ...
git push origin main