This repository has been archived by the owner on Jul 22, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
CHANGES
113 lines (82 loc) · 4.5 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
[Note - version numbers 0.6, 0.61, and 0.62 are reserved to refer to
incompatible versions of this module that were distributed only as
part of Raven authentication support for phpBB3 in early 2008]
0.53 2017-05-19 JW
Remove 7th parameter to gmmktime
This parameter does nothing, has been deprecated for some
while and was removed in PHP 7.
0.52 2015-03-10 JW
Fix a path traversal vulnerability in handling keyid.
The Ucam WebAuth response parameter 'keyid' identifies the RSA key
used to sign the request. In this implementation keyid is used to form
a file name from which the key is read. The implementation failed to
sanitise the value of keyid, allowing an attacker to use path traversal
to select a different key to use for verification. An attacker who
could arrange for that key to be one for which he had the corresponding
private key could effectively forge authentication messages.
This edit checks that keyid matches the (recently-clarified)
definition of being entirely numeric, of being no longer than 8
characters, and of not starting with a zero.
<unreleased> 2014-03-27 MCV
Authenticate can now force re-authentication
This is actually a batch of changes by John Sutton [DAMTP], which he
describes as "enhancements and bug-fixes". The largest change he
describes thus:
"The main function authenticate($authassertionid = NULL, $testauthonly
= NULL) now takes the two arguments:
$authassertionid - is used to force re-authentication. If specified,
it can be read as “authenticate(‘but this ticket will not do’)”. I
use it to implement an idle timeout as follows: on every successful
authentication, retrieve the current ticket id using the id() function
and store it somewhere. When you want to force re-authentication,
pass this ticket id back in as the first argument to authenticate().
$testauthonly - a boolean which if set true means to only test the
authentication state, i.e., return true or false accordingly but do
NOT send any headers. This is useful when you are working with ajax
requests."
0.51 2008-04-28 JML
* Added support for (mandatory) hostname option, which can be set via the
constructor or the hostname get/set method
* Fixed potential security issue, which arose due to failure to use a
reliable source of hostname when reconstructing the current URL for use in
various redirects and checks
* Added redirection to the "correct URL" (before authentication) if the
configured hostname does not match the hostname in the request's Host:
header, to tackle some consequences of inconsistent/varying choice of
hostname in URLs for the site.
* Failure to define cookie_key when using Ucam_Webauth sesssions is now
reported properly as an error (via status code and message text).
[Note that the hostname-related security issues affecting V0.5 and
earlier also affect versions 0.6 (Nov 2007) & 0.61 (early April
2008) which were distributed only as part of Raven authentication
support for phpBB3. However, since those versions are significantly
different from 0.5, version 0.51 cannot be used as a drop-in
replacement for 0.6 or 0.61.]
0.5 2005-03-22 JW
* No code changes - assorted comment and text alterations to make it
clear that the module is distributed under the GNU LGPL.
0.4 2005-01-27 JW
* Fixed yet another problem that could result in 'pre-expired' session
cookies when run on a plaform with an inaccurate clock even if
clock_skew was set correctly
0.3 2005-01-24 JW
* Previous fix didn't seem to resolve the odity with ksort/implode not
always working. Added code to assemble cookies by hand to work round
this
0.2 2005-01-23 JW
* Dropped bogus SESSION_TICKET_KEY field from session ticket, and
initialised the SESSION_TICKET_ver field. One or the other or both
of these seems to cure a problem in which ksort (at least in PHP
4.3.10) doesn't and which results in corrupt session cookies.
* Ignore empty/zero $WLS_TOKEN_LIFE field in WLS response. Failing to
do so caused all error responses (including 'User Cancelled') to
result in an immediate return to the WLS with a message about an
expired local session.
* Fixed typo: $SESSIOM_TICKET_PARAMS -> $SESSION_TICKET_PARAMS
* Added missing property 'fail' and a get/set routine for it
* Added a 'band-aid' check for the likely case of the certificate file
not being found or readable, but all the error handeling here needs
re-working.
* Added an error_log entry if the local session has expired
0.1 (28/0404)
. First working version