[Mapbender-commits] r8549 - in trunk/mapbender: conf owsproxy/http

svn_mapbender at osgeo.org svn_mapbender at osgeo.org
Sun Jan 20 11:49:28 PST 2013 

Author: armin11
Date: 2013-01-20 11:49:28 -0800 (Sun, 20 Jan 2013)
New Revision: 8549

Modified:
   trunk/mapbender/conf/mapbender.conf-dist
   trunk/mapbender/owsproxy/http/index.php
Log:
Some more security for session grabbing thru owsproxy.

Modified: trunk/mapbender/conf/mapbender.conf-dist
===================================================================
--- trunk/mapbender/conf/mapbender.conf-dist	2013-01-20 17:29:40 UTC (rev 8548)
+++ trunk/mapbender/conf/mapbender.conf-dist	2013-01-20 19:49:28 UTC (rev 8549)
@@ -64,8 +64,9 @@
 define("OWSPROXY_ALLOW_PUBLIC_USER", false);
 # Bind the owsproxy to the ip address of the session for which it was invoked. Makes the proxy more secure. The dynamiccaly build url can only be used on one computer - beware of NAT rules ;-). The IP has to be written into the session.
 define("OWSPROXY_BIND_IP", false);
-# Allow the use of an existing session for other calling applications. The url will be used to identify an existing session and the application will use this identity! Beware of security problems if the url is given to an other user. This one may alter the original identity! For security reasons set this value to false. 
+# Allow the use of an existing session for other calling applications. The url will be used to identify an existing session and the application will use this identity! Beware of security problems if the url is given to an other user. This one may alter the original identity! For security reasons set this value to false or at minimum give a whitelist to allow printing - see OWSPROXY_SESSION_GRABBING_WHITELIST.
 define("OWSPROXY_ALLOW_SESSION_GRABBING", false);
+#define("OWSPROXY_SESSION_GRABBING_WHITELIST", "localhost,127.0.0.1");
 # --------------------------------------------
 # Definitions for HTTP Authentication
 # --------------------------------------------

Modified: trunk/mapbender/owsproxy/http/index.php
===================================================================
--- trunk/mapbender/owsproxy/http/index.php	2013-01-20 17:29:40 UTC (rev 8548)
+++ trunk/mapbender/owsproxy/http/index.php	2013-01-20 19:49:28 UTC (rev 8549)
@@ -32,6 +32,21 @@
 // an array with keys and values toLowerCase -> caseinsensitiv
 $reqParams = $query->getRequestParams();
 $e = new mb_notice("incoming request: ".OWSPROXY."/".$_REQUEST['sid']."/".$_REQUEST['wms'].$query->getRequest());
+$e = new mb_notice("owsproxy requested from: ".$_SERVER["REMOTE_ADDR"]);
+//check if proxy request came from grabbing whitelist - for grabbing
+if (!defined("OWSPROXY_SESSION_GRABBING_WHITELIST")){
+	$grabbingAllowed = true;
+}
+if (defined("OWSPROXY_SESSION_GRABBING_WHITELIST")) {
+	$whiteListArray = explode(",", OWSPROXY_SESSION_GRABBING_WHITELIST);
+	if (in_array($_SERVER["REMOTE_ADDR"], $whiteListArray)) {
+		$grabbingAllowed = true;
+		$e = new mb_notice("Grabbing allowed for IP: ".$_SERVER["REMOTE_ADDR"]);
+	} else {
+		$grabbingAllowed = false;
+		$e = new mb_notice("Grabbing not allowed for IP: ".$_SERVER["REMOTE_ADDR"]."!");
+	}
+}
 //check session
 //session_regenerate_id(TRUE);
 $e = new mb_notice("Initial session_id: ".session_id());
@@ -44,27 +59,28 @@
 }
 //Possibility to grap an existing session:
 if (defined("OWSPROXY_ALLOW_SESSION_GRABBING") && OWSPROXY_ALLOW_SESSION_GRABBING == true) {
-	$e = new mb_notice("Session grabbing allowed in configuration!");
-	//first check is to find out if a session with the current sid exists! If so use this one, if not use the current one which was generated from globalSettings.php
-	if (file_exists(ini_get('session.save_path')."/sess_".$_REQUEST["sid"]) && session_id() !== $_REQUEST["sid"]) {
-		//there is a current session for the requested url
-		$e = new mb_notice("A current session exists for this url and will be used!");
-		$oldsessionId = session_id();
-		$tmpSessionFile = ini_get('session.save_path')."/sess_".session_id();
-		//do the following only, if a user is in this session - maybe it is a session which was generated from an external application and therefor it is empty!
-		session_id($_REQUEST["sid"]);
-		$e = new mb_notice("Grabbed session with id: ".session_id());
-		//kill dynamical session
-		//@unlink($tmpSessionFile);
-		$e = new mb_notice("Following user was found and will be used for authorization: ".Mapbender::session()->get('mb_user_id'));
-		$foundUserId = Mapbender::session()->get('mb_user_id');
-		if (!isset($foundUserId) || $foundUserId =='') {
-			$e = new mb_notice("No user found in the existing session - switch to the old one!");
-			session_id($oldsessionId);
-		} else {
-			//delete session as it will not be needed any longer
-			$e = new mb_notice("Following no longer needed session will be deleted: ".$tmpSessionFile);
-			@unlink($tmpSessionFile);
+	if ($grabbingAllowed) {
+		//first check is to find out if a session with the current sid exists! If so use this one, if not use the current one which was generated from globalSettings.php
+		if (file_exists(ini_get('session.save_path')."/sess_".$_REQUEST["sid"]) && session_id() !== $_REQUEST["sid"]) {
+			//there is a current session for the requested url
+			$e = new mb_notice("A current session exists for this url and will be used!");
+			$oldsessionId = session_id();
+			$tmpSessionFile = ini_get('session.save_path')."/sess_".session_id();
+			//do the following only, if a user is in this session - maybe it is a session which was generated from an external application and therefor it is empty!
+			session_id($_REQUEST["sid"]);
+			$e = new mb_notice("Grabbed session with id: ".session_id());
+			//kill dynamical session
+			//@unlink($tmpSessionFile);
+			$e = new mb_notice("Following user was found and will be used for authorization: ".Mapbender::session()->get('mb_user_id'));
+			$foundUserId = Mapbender::session()->get('mb_user_id');
+			if (!isset($foundUserId) || $foundUserId =='') {
+				$e = new mb_notice("No user found in the existing session - switch to the old one!");
+				session_id($oldsessionId);
+			} else {
+				//delete session as it will not be needed any longer
+				$e = new mb_notice("Following no longer needed session will be deleted: ".$tmpSessionFile);
+				@unlink($tmpSessionFile);
+			}
 		}
 	}
 }

More information about the Mapbender_commits mailing list