|
 |
f147723 |
From 66f2db86bf06d229a48bfa197cf93cb41e59953d Mon Sep 17 00:00:00 2001
|
|
|
f147723 |
From: Ruben <ruben@rubenkerkhof.com>
|
|
|
f147723 |
Date: Sun, 17 Oct 2010 17:38:55 +0200
|
|
|
f147723 |
Subject: [PATCH 11/14] 25_CVE-2009-1629.diff from Debian
|
|
|
f147723 |
|
|
|
f147723 |
---
|
|
|
f147723 |
ajaxterm.js | 17 ++++++++++++++-
|
|
|
f147723 |
ajaxterm.py | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
|
|
|
f147723 |
2 files changed, 74 insertions(+), 8 deletions(-)
|
|
|
f147723 |
|
|
|
f147723 |
diff --git a/ajaxterm.js b/ajaxterm.js
|
|
|
f147723 |
index 4edcb6c..2579a8f 100644
|
|
|
f147723 |
--- a/ajaxterm.js
|
|
|
f147723 |
+++ b/ajaxterm.js
|
|
|
f147723 |
@@ -6,7 +6,22 @@ ajaxterm.Terminal_ctor=function(id,width,height) {
|
|
|
f147723 |
ie=1;
|
|
|
f147723 |
if (navigator.userAgent.indexOf("WebKit") >= 0)
|
|
|
f147723 |
webkit=1;
|
|
|
f147723 |
- var sid=""+Math.round(Math.random()*1000000000);
|
|
|
f147723 |
+ var sid="";
|
|
|
f147723 |
+
|
|
|
f147723 |
+ for (var i=0; i < 255; i++) {
|
|
|
f147723 |
+ var r = 0;
|
|
|
f147723 |
+ // now get a random number between 0 and 255
|
|
|
f147723 |
+ // numbers not in the range are intentionally discarded
|
|
|
f147723 |
+ // as it reduces the chance of predicting the seed, by not
|
|
|
f147723 |
+ // using all of the numbers generated by the PRNG
|
|
|
f147723 |
+ do {
|
|
|
f147723 |
+ r = Math.round(Math.random()*1000);
|
|
|
f147723 |
+ } while(r >= 255);
|
|
|
f147723 |
+ r = r.toString(16);
|
|
|
f147723 |
+ if (r.length == 1)
|
|
|
f147723 |
+ r = "0"+r;
|
|
|
f147723 |
+ sid += "%" + r;
|
|
|
f147723 |
+ }
|
|
|
f147723 |
|
|
|
f147723 |
if (width==0) {
|
|
|
f147723 |
width=80;
|
|
|
f147723 |
diff --git a/ajaxterm.py b/ajaxterm.py
|
|
|
f147723 |
index 962e685..8695590 100755
|
|
|
f147723 |
--- a/ajaxterm.py
|
|
|
f147723 |
+++ b/ajaxterm.py
|
|
|
f147723 |
@@ -8,8 +8,14 @@ try:
|
|
|
f147723 |
except:
|
|
|
f147723 |
pass
|
|
|
f147723 |
|
|
|
f147723 |
-import array,cgi,fcntl,glob,mimetypes,optparse,os,pty,random,re,signal,select,sys,threading,time,termios,struct,pwd
|
|
|
f147723 |
-from datetime import datetime
|
|
|
f147723 |
+import array,cgi,fcntl,glob,mimetypes,optparse,os,pty,random,re,signal,select,sys,threading,time,termios,struct,pwd,Cookie
|
|
|
f147723 |
+from datetime import datetime, timedelta
|
|
|
f147723 |
+
|
|
|
f147723 |
+try:
|
|
|
f147723 |
+ from hashlib import sha1
|
|
|
f147723 |
+except ImportError:
|
|
|
f147723 |
+ import sha
|
|
|
f147723 |
+ sha1 = sha.new
|
|
|
f147723 |
|
|
|
f147723 |
os.chdir(os.path.normpath(os.path.dirname(__file__)))
|
|
|
f147723 |
# Optional: Add QWeb in sys path
|
|
|
f147723 |
@@ -517,30 +523,61 @@ class AjaxTerm:
|
|
|
f147723 |
self.multi = Multiplex(cmd,serverport)
|
|
|
f147723 |
self.reaper = Reaper(self.multi)
|
|
|
f147723 |
self.session = {}
|
|
|
f147723 |
+ self.session_ip = {}
|
|
|
f147723 |
+ self.sessions_limit = 20
|
|
|
f147723 |
+ self.sessions_user_limit = 4
|
|
|
f147723 |
+ m = sha1()
|
|
|
f147723 |
+ m.update(os.urandom(128))
|
|
|
f147723 |
+ self.cookie_name = m.hexdigest()
|
|
|
f147723 |
def __call__(self, environ, start_response):
|
|
|
f147723 |
req = qweb.QWebRequest(environ, start_response,session=None)
|
|
|
f147723 |
if req.PATH_INFO.endswith('/u'):
|
|
|
f147723 |
+ req.response_headers['Content-Type']='text/xml'
|
|
|
f147723 |
+ uid=""
|
|
|
f147723 |
+ if self.cookie_name not in req.request_cookies:
|
|
|
f147723 |
+ req.write('<idem></idem>')
|
|
|
f147723 |
+ return req
|
|
|
f147723 |
+ uid = req.request_cookies[self.cookie_name].value
|
|
|
f147723 |
s=req.REQUEST["s"]
|
|
|
f147723 |
k=req.REQUEST["k"]
|
|
|
f147723 |
c=req.REQUEST["c"]
|
|
|
f147723 |
w=req.REQUEST.int("w")
|
|
|
f147723 |
h=req.REQUEST.int("h")
|
|
|
f147723 |
- if s in self.session:
|
|
|
f147723 |
- term=self.session[s]
|
|
|
f147723 |
+ ip="unknown"
|
|
|
f147723 |
+ if environ.has_key("REMOTE_ADDR"):
|
|
|
f147723 |
+ ip=environ['REMOTE_ADDR']
|
|
|
f147723 |
+ if ip == "127.0.0.1" and environ.has_key("HTTP_X_FORWARDED_FOR"):
|
|
|
f147723 |
+ ip=environ["HTTP_X_FORWARDED_FOR"]
|
|
|
f147723 |
+
|
|
|
f147723 |
+ if (uid+s) in self.session:
|
|
|
f147723 |
+ term=self.session[uid+s]
|
|
|
f147723 |
+ req.response_cookies.load(req.request_cookies[self.cookie_name].OutputString())
|
|
|
f147723 |
+ req.response_cookies[self.cookie_name]['expires'] = datetime.utcnow()+timedelta(seconds=60)
|
|
|
f147723 |
else:
|
|
|
f147723 |
if not (w>2 and w<256 and h>2 and h<100):
|
|
|
f147723 |
w,h=80,25
|
|
|
f147723 |
- term=self.session[s]=self.multi.create(w,h)
|
|
|
f147723 |
+ # check if there aren't too many open sessions
|
|
|
f147723 |
+ if len(self.session) < self.sessions_limit:
|
|
|
f147723 |
+ count=0
|
|
|
f147723 |
+ for i in self.session_ip.keys():
|
|
|
f147723 |
+ if self.session_ip[i] == ip:
|
|
|
f147723 |
+ count+=1
|
|
|
f147723 |
+ if count <= self.sessions_user_limit:
|
|
|
f147723 |
+ term=self.session[uid+s]=self.multi.create(w,h)
|
|
|
f147723 |
+ self.session_ip[uid+s]=ip
|
|
|
f147723 |
+ else:
|
|
|
f147723 |
+ req.write('<idem></idem>')
|
|
|
f147723 |
+ return req
|
|
|
f147723 |
if k:
|
|
|
f147723 |
self.multi.proc_write(term,k)
|
|
|
f147723 |
time.sleep(0.002)
|
|
|
f147723 |
dump=self.multi.dump(term,c)
|
|
|
f147723 |
- req.response_headers['Content-Type']='text/xml'
|
|
|
f147723 |
if isinstance(dump,str):
|
|
|
f147723 |
req.write(dump)
|
|
|
f147723 |
req.response_gzencode=1
|
|
|
f147723 |
else:
|
|
|
f147723 |
- del self.session[s]
|
|
|
f147723 |
+ del self.session[uid+s]
|
|
|
f147723 |
+ del self.session_ip[uid+s]
|
|
|
f147723 |
req.write('<idem></idem>')
|
|
|
f147723 |
# print "sessions %r"%self.session
|
|
|
f147723 |
else:
|
|
|
f147723 |
@@ -549,9 +586,23 @@ class AjaxTerm:
|
|
|
f147723 |
req.response_headers['Content-Type'] = self.mime.get(os.path.splitext(n)[1].lower(), 'application/octet-stream')
|
|
|
f147723 |
req.write(self.files[n])
|
|
|
f147723 |
else:
|
|
|
f147723 |
+ if self.cookie_name not in req.request_cookies:
|
|
|
f147723 |
+ self.genSidCookie(req)
|
|
|
f147723 |
req.response_headers['Content-Type'] = 'text/html; charset=UTF-8'
|
|
|
f147723 |
req.write(self.files['index'])
|
|
|
f147723 |
return req
|
|
|
f147723 |
+ def genSidCookie(self, req):
|
|
|
f147723 |
+ m = sha1()
|
|
|
f147723 |
+ m.update(os.urandom(160))
|
|
|
f147723 |
+ req.response_cookies[self.cookie_name] = m.hexdigest()
|
|
|
f147723 |
+ # try to set httponly if supported (added in 2.6)
|
|
|
f147723 |
+ try:
|
|
|
f147723 |
+ req.response_cookies[self.cookie_name]['httponly'] = 1
|
|
|
f147723 |
+ except (Cookie.CookieError):
|
|
|
f147723 |
+ pass
|
|
|
f147723 |
+ req.response_cookies[self.cookie_name]['path'] = req.PATH_INFO
|
|
|
f147723 |
+ req.response_cookies[self.cookie_name]['expires'] = datetime.utcnow()+timedelta(seconds=60)
|
|
|
f147723 |
+ return req
|
|
|
f147723 |
|
|
|
f147723 |
def main():
|
|
|
f147723 |
parser = optparse.OptionParser()
|
|
|
f147723 |
--
|
|
|
f147723 |
1.7.3.1
|
|
|
f147723 |
|