From: Steven Barth <steven@midlink.org>
Date: Mon, 11 Aug 2008 10:43:31 +0000 (+0000)
Subject: libs/web: Add additional sanity checks to session mechanism
X-Git-Tag: 0.8.0~472
X-Git-Url: https://git.archive.openwrt.org/?p=project%2Fluci.git;a=commitdiff_plain;h=f83bb9996b7bd36e8f032e389ad4eb4a3bfe590d

libs/web: Add additional sanity checks to session mechanism
---

diff --git a/libs/web/luasrc/sauth.lua b/libs/web/luasrc/sauth.lua
index d25f287c5..8182679ce 100644
--- a/libs/web/luasrc/sauth.lua
+++ b/libs/web/luasrc/sauth.lua
@@ -45,14 +45,16 @@ end
 --- Prepare session storage by creating the session directory.
 function prepare()
 	luci.fs.mkdir(sessionpath)
-	luci.fs.chmod(sessionpath, "a-rwx,u+rwx")
+	if not luci.fs.chmod(sessionpath, "a-rwx,u+rwx") then
+		error("Security Exception: Session path is not sane!")
+	end
 end
 
 --- Read a session and return its content.
 -- @param id	Session identifier
 -- @return		Session data
 function read(id)
-	if not id then
+	if not id or not sane() then
 		return
 	end
 	clean()
@@ -60,11 +62,18 @@ function read(id)
 end
 
 
+--- Check whether Session environment is sane.
+-- @return Boolean status
+function sane()
+	return luci.fs.stat(sessionpath, "mode") == "rwx------"
+end
+
+
 --- Write session data to a session file.
 -- @param id	Session identifier
 -- @param data	Session data
 function write(id, data)
-	if not luci.fs.stat(sessionpath) then
+	if not sane() then
 		prepare()
 	end
 	luci.fs.writefile(sessionpath .. "/" .. id, data)