From 5f3743508d44a679ba71ec9aea88e04f3af61b19 Mon Sep 17 00:00:00 2001 From: Lebbeous Fogle-Weekley Date: Tue, 12 Jun 2012 17:26:39 -0400 Subject: [PATCH] Security fix: For auth, give same stacktrace for all cases of LOGIN_FAILED Signed-off-by: Lebbeous Fogle-Weekley Signed-off-by: Bill Erickson --- Open-ILS/src/c-apps/oils_auth.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/Open-ILS/src/c-apps/oils_auth.c b/Open-ILS/src/c-apps/oils_auth.c index f19015ca8f..2c7086ad53 100644 --- a/Open-ILS/src/c-apps/oils_auth.c +++ b/Open-ILS/src/c-apps/oils_auth.c @@ -589,6 +589,12 @@ int oilsAuthComplete( osrfMethodContext* ctx ) { const char* ws = (workstation) ? workstation : ""; + /* Use __FILE__, harmless_line_number for creating + * OILS_EVENT_AUTH_FAILED events (instead of OSRF_LOG_MARK) to avoid + * giving away information about why an authentication attempt failed. + */ + int harmless_line_number = __LINE__; + if( !type ) type = OILS_AUTH_STAFF; @@ -656,7 +662,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) { } if(!userObj || barred || deleted) { - response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED ); + response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED ); osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s", uname, (barcode ? barcode : "(none)"), ws ); osrfAppRespondComplete( ctx, oilsEventToJSON(response) ); @@ -683,7 +689,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) { if( passOK ) response = oilsNewEvent( OSRF_LOG_MARK, "PATRON_INACTIVE" ); else - response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED ); + response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED ); osrfAppRespondComplete( ctx, oilsEventToJSON(response) ); oilsEventFree(response); @@ -753,7 +759,7 @@ int oilsAuthComplete( osrfMethodContext* ctx ) { ); } else { - response = oilsNewEvent( OSRF_LOG_MARK, OILS_EVENT_AUTH_FAILED ); + response = oilsNewEvent( __FILE__, harmless_line_number, OILS_EVENT_AUTH_FAILED ); osrfLogInfo(OSRF_LOG_MARK, "failed login: username=%s, barcode=%s, workstation=%s", uname, (barcode ? barcode : "(none)"), ws ); } -- 2.11.0