[Mapbender-commits] r8548 - in trunk/mapbender: conf http/php http/print/classes owsproxy/http

svn_mapbender at osgeo.org svn_mapbender at osgeo.org
Sun Jan 20 09:29:41 PST 2013 

Author: armin11
Date: 2013-01-20 09:29:40 -0800 (Sun, 20 Jan 2013)
New Revision: 8548

Modified:
   trunk/mapbender/conf/mapbender.conf-dist
   trunk/mapbender/http/php/wms.php
   trunk/mapbender/http/print/classes/mbMapDecorator.php
   trunk/mapbender/owsproxy/http/index.php
Log:
Bugfix for owsproxy - there were some security risks which had to be minimized. The printing via owsproxy needs the option for grabbing the session information! Maybe we have to allow this only if it is called from localhost or 127.0.0.1.

Modified: trunk/mapbender/conf/mapbender.conf-dist
===================================================================
--- trunk/mapbender/conf/mapbender.conf-dist	2013-01-18 18:50:41 UTC (rev 8547)
+++ trunk/mapbender/conf/mapbender.conf-dist	2013-01-20 17:29:40 UTC (rev 8548)
@@ -62,7 +62,10 @@
 define("OWSPROXY_USE_LOCALHOST", false);
 # Allow OWSPROXY to serve services which are available to the public user - a new session will be set
 define("OWSPROXY_ALLOW_PUBLIC_USER", false);
-
+# Bind the owsproxy to the ip address of the session for which it was invoked. Makes the proxy more secure. The dynamiccaly build url can only be used on one computer - beware of NAT rules ;-). The IP has to be written into the session.
+define("OWSPROXY_BIND_IP", false);
+# Allow the use of an existing session for other calling applications. The url will be used to identify an existing session and the application will use this identity! Beware of security problems if the url is given to an other user. This one may alter the original identity! For security reasons set this value to false. 
+define("OWSPROXY_ALLOW_SESSION_GRABBING", false);
 # --------------------------------------------
 # Definitions for HTTP Authentication
 # --------------------------------------------

Modified: trunk/mapbender/http/php/wms.php
===================================================================
--- trunk/mapbender/http/php/wms.php	2013-01-18 18:50:41 UTC (rev 8547)
+++ trunk/mapbender/http/php/wms.php	2013-01-20 17:29:40 UTC (rev 8548)
@@ -33,7 +33,7 @@
 $layerId = $_GET["LAYER_ID"];
 $updateSequence = intval($_GET["UPDATESEQUENCE"]);
 $inspire = $_GET["INSPIRE"];
-
+$sessionId = $_GET[strtoupper(session_name())];
 if (isset($inspire) && $inspire === 1 ) {
 	$inspire = true;
 }
@@ -267,7 +267,7 @@
 	
 # switch URLs for OWSPROXY
 if($wms_row['wms_owsproxy'] <> "" AND $wms_row['wms_owsproxy'] <> NULL) {
-	$tmpOR = $urlPrefix.$_SERVER["HTTP_HOST"]."/owsproxy/".session_id()."/".$wms_row["wms_owsproxy"]."?";
+	$tmpOR = $urlPrefix.$_SERVER["HTTP_HOST"]."/owsproxy/".$sessionId."/".$wms_row["wms_owsproxy"]."?";
 	$tmpOR = str_replace(SERVERIP, SERVERNAME, $tmpOR);
 	$wms_row['wms_getcapabilities'] = $tmpOR;
 	$wms_row['wms_getmap'] = $tmpOR;
@@ -280,7 +280,7 @@
 	$onlineResource = $service->appendChild($onlineResource);
 	$onlineResource->setAttribute("xmlns:xlink", "http://www.w3.org/1999/xlink" );
 //	$onlineResource->setAttribute("xlink:href", $wms_row['wms_getcapabilities']);
-	$onlRes = $_SERVER["HTTP_HOST"] . $_SERVER["SCRIPT_NAME"] . "?layer_id=" . $layerId."&".session_name()."=".session_id();
+	$onlRes = $_SERVER["HTTP_HOST"] . $_SERVER["SCRIPT_NAME"] . "?layer_id=" . $layerId."&".session_name()."=".$sessionId;
 	if (isset($_SERVER["HTTPS"])) {
 		$onlRes = "https://" . $onlRes;
 	}
@@ -1238,7 +1238,7 @@
 		$onlineResource = $doc->createElement("OnlineResource");
 	   	$onlineResource = $dataUrl->appendChild($onlineResource);
 	   	$onlineResource->setAttribute("xmlns:xlink", "http://www.w3.org/1999/xlink" );
-		$onlineResource->setAttribute("xlink:href", OWSPROXY."/".session_id()."/".$wms_row["wms_owsproxy"]."?");
+		$onlineResource->setAttribute("xlink:href", OWSPROXY."/".$sessionId."/".$wms_row["wms_owsproxy"]."?");
 		$onlineResource->setAttribute("xlink:type", "simple");
 	}
 	else
@@ -1302,7 +1302,7 @@
 		$onlineResource = $doc->createElement("OnlineResource");
 	   	$onlineResource = $legendUrl->appendChild($onlineResource);
 	   	$onlineResource->setAttribute("xmlns:xlink", "http://www.w3.org/1999/xlink" );
-		$onlineResource->setAttribute("xlink:href", OWSPROXY."/".session_id()."/".$wms_row["wms_owsproxy"]."?version=1.1.1&service=WMS&request=GetLegendGraphic&layer=".$sub_layer_row['layer_name']."&format=image/png");
+		$onlineResource->setAttribute("xlink:href", OWSPROXY."/".$sessionId."/".$wms_row["wms_owsproxy"]."?version=1.1.1&service=WMS&request=GetLegendGraphic&layer=".$sub_layer_row['layer_name']."&format=image/png");
 		$onlineResource->setAttribute("xlink:type", "simple");
 	}
 	else

Modified: trunk/mapbender/http/print/classes/mbMapDecorator.php
===================================================================
--- trunk/mapbender/http/print/classes/mbMapDecorator.php	2013-01-18 18:50:41 UTC (rev 8547)
+++ trunk/mapbender/http/print/classes/mbMapDecorator.php	2013-01-20 17:29:40 UTC (rev 8548)
@@ -68,6 +68,9 @@
 			}
 		}
 		$array_urls = $newArray_urls;
+		//TODO: Exchange owsproxy urls with real urls cause we don't want owsproxy to allow grabbing sessions!
+		//delete urls from list, for which user don't have permission!
+		//get auth information to call authenticated services
 		$e = new mb_notice("print/classes/mbMapDecorator.php: array_urls[0]: ".$array_urls[0]);
 		$width = $this->conf->width;
 		$height = $this->conf->height;

Modified: trunk/mapbender/owsproxy/http/index.php
===================================================================
--- trunk/mapbender/owsproxy/http/index.php	2013-01-18 18:50:41 UTC (rev 8547)
+++ trunk/mapbender/owsproxy/http/index.php	2013-01-20 17:29:40 UTC (rev 8548)
@@ -17,61 +17,82 @@
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-require(dirname(__FILE__) . "/../../conf/mapbender.conf");
-//require_once(dirname(__FILE__)."/../../core/globalSettings.php");
+require_once(dirname(__FILE__)."/../../core/globalSettings.php");
 require_once(dirname(__FILE__) . "/../../http/classes/class_administration.php");
 require_once(dirname(__FILE__) . "/../../http/classes/class_connector.php");
-require_once(dirname(__FILE__) . "/../../http/classes/class_mb_exception.php");
 require_once(dirname(__FILE__) . "/./classes/class_QueryHandler.php");
-
 /***** conf *****/
 $imageformats = array("image/png","image/gif","image/jpeg", "image/jpg");
 $width = 400;
 $height = 400;
 /***** conf *****/
-
-$con = db_connect(DBSERVER,OWNER,PW);
-db_select_db(DB,$con);
-
 $postdata = $HTTP_RAW_POST_DATA;
-
 $owsproxyService = $_REQUEST['wms']; //ToDo: change this to 'service' in the apache url-rewriting
 $query = new QueryHandler();
-
 // an array with keys and values toLowerCase -> caseinsensitiv
 $reqParams = $query->getRequestParams();
-
-$notice = new mb_notice("owsproxy id:".$query->getOwsproxyServiceId());
-
-// check session
+$e = new mb_notice("incoming request: ".OWSPROXY."/".$_REQUEST['sid']."/".$_REQUEST['wms'].$query->getRequest());
+//check session
 //session_regenerate_id(TRUE);
-session_regenerate_id(); //it will generate a session if it does not exists without any user in it!
-session_destroy();
+$e = new mb_notice("Initial session_id: ".session_id());
+//The session can be set by a given cookie value or was newly created by core/globalSettings.php
+//either empty (without mb_user_id value) - when the corresponding session file was lost or timed out
+//or filled, when there was an actual mapbender session before
+//check if mb_user_id is given and is an string with an integer:
+if(!$_SESSION['mb_user_id'] && !is_int($_SESSION['mb_user_id'])){
+	$e = new mb_notice("Newly initialized session - no logged in mapbender user!");
+}
+//Possibility to grap an existing session:
+if (defined("OWSPROXY_ALLOW_SESSION_GRABBING") && OWSPROXY_ALLOW_SESSION_GRABBING == true) {
+	$e = new mb_notice("Session grabbing allowed in configuration!");
+	//first check is to find out if a session with the current sid exists! If so use this one, if not use the current one which was generated from globalSettings.php
+	if (file_exists(ini_get('session.save_path')."/sess_".$_REQUEST["sid"]) && session_id() !== $_REQUEST["sid"]) {
+		//there is a current session for the requested url
+		$e = new mb_notice("A current session exists for this url and will be used!");
+		$oldsessionId = session_id();
+		$tmpSessionFile = ini_get('session.save_path')."/sess_".session_id();
+		//do the following only, if a user is in this session - maybe it is a session which was generated from an external application and therefor it is empty!
+		session_id($_REQUEST["sid"]);
+		$e = new mb_notice("Grabbed session with id: ".session_id());
+		//kill dynamical session
+		//@unlink($tmpSessionFile);
+		$e = new mb_notice("Following user was found and will be used for authorization: ".Mapbender::session()->get('mb_user_id'));
+		$foundUserId = Mapbender::session()->get('mb_user_id');
+		if (!isset($foundUserId) || $foundUserId =='') {
+			$e = new mb_notice("No user found in the existing session - switch to the old one!");
+			session_id($oldsessionId);
+		} else {
+			//delete session as it will not be needed any longer
+			$e = new mb_notice("Following no longer needed session will be deleted: ".$tmpSessionFile);
+			@unlink($tmpSessionFile);
+		}
+	}
+}
 //check if current session has the same id as the session which is requested in the owsproxy url
 //exchange them, if they differ and redirect to an new one with the current session
 if (session_id() !== $_REQUEST["sid"]) {
 	//get all request params which are original
 	//build reuquest
 	$redirectUrl = OWSPROXY."/".session_id()."/".$_REQUEST['wms'].$query->getRequest();
-	$e = new mb_notice("redirect to new owsproxy url: ".$redirectUrl);
+	$e = new mb_notice("IDs differ - redirect to new owsproxy url: ".$redirectUrl);
 	header("Location: ".$redirectUrl);
 	die();
 } else {
-	$e = new mb_notice("Current SID identical to requested SID!");
+	$e = new mb_notice("Current session_id() identical to requested SID!");
 }
 //this is the request which may have been redirected
-//session_id($_REQUEST["sid"]);
-//session_start();//?
 //check for given user session with user_id which can be tested again the authorization
 if(!$_SESSION['mb_user_id']){
-	$e = new mb_exception("user id not found in session");
+	$e = new mb_notice("user_id not found in session");
 	//if configured in mapbender.conf, create guest session so that also proxied service can be watched in external applications when they are available to the anonymous user
 	//only possible for webapplications - in case of desktop applications the user have to use his credentials and http_auth module
 	if (defined("OWSPROXY_ALLOW_PUBLIC_USER") && OWSPROXY_ALLOW_PUBLIC_USER && defined("PUBLIC_USER") && PUBLIC_USER != "") {
 		//setSession();
   		Mapbender::session()->set("mb_user_id",PUBLIC_USER);
 		Mapbender::session()->set("external_proxy_user",true);
+		Mapbender::session()->set("mb_user_ip",$_SERVER['REMOTE_ADDR']);
+		//Define name of temporal session file. This file can be deleted after the request was successful. It will be generated every time again.
+		$tmpSessionFile = ini_get('session.save_path')."/sess_".session_id();
 		$e = new mb_notice("Permission allowed for public user with id: ".PUBLIC_USER);
 	} else {
 		$e = new mb_notice("Permission denied - public user not allowed to access ressource!");
@@ -79,32 +100,31 @@
 		$tmpSessionFile = ini_get('session.save_path')."/sess_".session_id();
 		$e = new mb_notice("delete temporary session file: ".$tmpSessionFile);
 		@unlink($tmpSessionFile);
-		throwE("Permission denied - no current session found and public user not allowed to acces ressource!");
+		throwE(array("Permission denied"," - no current session found and ","public user not allowed to access ressource!"));
 		die();
 	}
 } else {
 	$e= new mb_notice("mb_user_id found in session: ".$_SESSION['mb_user_id']);
 }
-//start the session to be able to write urls to it
-session_start();
+//start the session to be able to write urls to it - for 
+session_start();//maybe it was started by globalSettings.php
 $n = new administration;
-//if($_SESSION['mb_user_ip'] != $_SERVER['REMOTE_ADDR']){
-//	throwE(array("No session data available.","Permission denied.","Please authenticate."));
-//	die();	
-//}
-
+//Extra security - IP check 
+if (defined("OWSPROXY_BIND_IP") && OWSPROXY_BIND_IP == true) {
+	if($_SESSION['mb_user_ip'] != $_SERVER['REMOTE_ADDR']){
+		throwE(array("Session not identified.","Permission denied.","Please authenticate."));
+		die();	
+	}
+}
+$e = new mb_notice("user id for authorization test: ".$_SESSION['mb_user_id']);
 $wmsId = $n->getWmsIdFromOwsproxyString($query->getOwsproxyServiceId());
-#$notice = new mb_notice("wmsid:".$wmsId);
 //get authentication infos if they are available in wms table! if not $auth = false
 $auth = $n->getAuthInfoOfWMS($wmsId);
-#$mb_exception = new mb_exception("auth: ".$auth['username']);
 if ($auth['auth_type']==''){
 	unset($auth);
 }
-
 /*************  workflow ************/
 $n = new administration();
-
 switch (strtolower($reqParams['request'])) {
 	case 'getcapabilities':
 		$arrayOnlineresources = checkWmsPermission($query->getOwsproxyServiceId());
@@ -148,7 +168,6 @@
 			$n->logWmsProxyRequest($arrayOnlineresources['wms_id'],$_SESSION['mb_user_id'],$request,$price);
 		}
 		if(isset($auth)){
-#$mb_exception = new mb_exception("auth: ".$auth['auth_type']);
 			getImage($request,$auth);
 		}
 		else {
@@ -203,6 +222,10 @@
 	default:
 		
 }
+if (isset($tmpSessionFile) && file_exists($tmpSessionFile)) {
+	$e = new mb_exception("Following no longer needed session will be deleted: ".$tmpSessionFile);
+	@unlink($tmpSessionFile);
+}
 /*********************************************************/
 function throwE($e){
 	global $reqParams, $imageformats;

More information about the Mapbender_commits mailing list