Bug 5995 : MT2892: Fix security issue in CAS intranet login

Users could log in intranet using their cardnumber, with superlibrarian
rights.

Signed-off-by: Ian Walls <ian.walls@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

diff --git a/C4/Auth.pm b/C4/Auth.pm
index a31161e..b416449 100644 (file)
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -736,7 +736,9 @@ sub checkauth {
                    $userid = $retuserid;
                    $info{'invalidCasLogin'} = 1 unless ($return);
                } else {
-                   ( $return, $cardnumber ) = checkpw( $dbh, $userid, $password, $query );
+                   my $retuserid;
+                   ( $return, $retuserid ) = checkpw( $dbh, $userid, $password, $query );
+                   $userid = $retuserid if ($retuserid ne '');
                }
                if ($return) {
                _session_log(sprintf "%20s from %16s logged in  at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime));
@@ -762,20 +764,21 @@ sub checkauth {
                        ";
                        my $sth = $dbh->prepare("$select where userid=?");
                        $sth->execute($userid);
-                                       unless ($sth->rows) {
-                               $debug and print STDERR "AUTH_1: no rows for userid='$userid'\n";
-                                               $sth = $dbh->prepare("$select where cardnumber=?");
-                               $sth->execute($cardnumber);
-                                               unless ($sth->rows) {
-                                       $debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n";
-                               $sth->execute($userid);
-                                                       unless ($sth->rows) {
-                                               $debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n";
-                                                       }
-                                               }
-                                       }
+                       unless ($sth->rows) {
+                           $debug and print STDERR "AUTH_1: no rows for userid='$userid'\n";
+                           $sth = $dbh->prepare("$select where cardnumber=?");
+                           $sth->execute($cardnumber);
+
+                           unless ($sth->rows) {
+                               $debug and print STDERR "AUTH_2a: no rows for cardnumber='$cardnumber'\n";
+                               $sth->execute($userid);
+                               unless ($sth->rows) {
+                                   $debug and print STDERR "AUTH_2b: no rows for userid='$userid' AS cardnumber\n";
+                               }
+                           }
+                       }
                        if ($sth->rows) {
-                       ($borrowernumber, $firstname, $surname, $userflags,
+                           ($borrowernumber, $firstname, $surname, $userflags,
                                $branchcode, $branchname, $branchprinter, $emailaddress) = $sth->fetchrow;
                                                $debug and print STDERR "AUTH_3 results: " .
                                                        "$cardnumber,$borrowernumber,$userid,$firstname,$surname,$userflags,$branchcode,$emailaddress\n";
@@ -1413,7 +1416,7 @@ sub checkpw {
 
             C4::Context->set_userenv( "$borrowernumber", $userid, $cardnumber,
                 $firstname, $surname, $branchcode, $flags );
-            return 1, $cardnumber;
+            return 1, $userid;
         }
     }
     $sth =
@@ -1577,7 +1580,7 @@ sub haspermission {
     my ($userid, $flagsrequired) = @_;
     my $sth = C4::Context->dbh->prepare("SELECT flags FROM borrowers WHERE userid=?");
     $sth->execute($userid);
-    my $flags = getuserflags( $sth->fetchrow(), $userid );
+    my $flags = getuserflags($sth->fetchrow(), $userid);
     if ( $userid eq C4::Context->config('user') ) {
         # Super User Account from /etc/koha.conf
         $flags->{'superlibrarian'} = 1;
@@ -1586,7 +1589,9 @@ sub haspermission {
         # Demo user that can do "anything" (demo=1 in /etc/koha.conf)
         $flags->{'superlibrarian'} = 1;
     }
+
     return $flags if $flags->{superlibrarian};
+
     foreach my $module ( keys %$flagsrequired ) {
         my $subperm = $flagsrequired->{$module};
         if ($subperm eq '*') {