Fix insecure persistent login token

Signed-off-by: 4n4nk3 <47717886+4n4nk3@users.noreply.github.com>
pi-hole · Jan 22, 2023 · d31cf9d · d31cf9d · pralor-bot · Jan 25, 2023
1 parent 8a139d6
commit d31cf9d
Show file tree

Hide file tree

Showing 3 changed files with 98 additions and 7 deletions.
diff --git a/logout.php b/logout.php
@@ -1,9 +1,15 @@
 <?php
 
+require_once 'scripts/pi-hole/php/persistentlogin_token.php';
+
 // If the user wants to log out, we free all session variables currently registered
 // and delete any persistent cookie.
 session_start();
 session_unset();
-setcookie('persistentlogin', '', 1);
+
+if (isset($_COOKIE['persistentlogin'])) {
+    logoutPersistentLoginToken($_COOKIE['persistentlogin']);
+}
+
 header('Location: login.php');
 exit;
diff --git a/scripts/pi-hole/php/password.php b/scripts/pi-hole/php/password.php
@@ -8,6 +8,7 @@
 */
 
 require_once 'func.php';
+require_once 'persistentlogin_token.php';
 
 // Start a new PHP session (or continue an existing one)
 start_php_session();
@@ -29,11 +30,8 @@ function verifyPassword($pwhash, $use_api = false)
     if (strlen($pwhash) > 0) {
         // Check for and authorize from persistent cookie
         if (isset($_COOKIE['persistentlogin'])) {
-            if (hash_equals($pwhash, $_COOKIE['persistentlogin'])) {
+            if (checkValidityPersistentLoginToken($_COOKIE['persistentlogin'])) {
                 $_SESSION['auth'] = true;
-                // Refresh cookie with new expiry
-                // setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
-                setcookie('persistentlogin', $pwhash, time() + 60 * 60 * 24 * 7, null, null, null, true);
             } else {
                 // Invalid cookie
                 $_SESSION['auth'] = false;
@@ -61,8 +59,12 @@ function verifyPassword($pwhash, $use_api = false)
 
                 // Set persistent cookie if selected
                 if (isset($_POST['persistentlogin'])) {
-                    // setcookie( $name, $value, $expire, $path, $domain, $secure, $httponly )
-                    setcookie('persistentlogin', $pwhash, time() + 60 * 60 * 24 * 7, null, null, null, true);
+                    // Generate cookie with new expiry
+                    $token = genPersistentLoginToken();
+                    $time = time() + 60 * 60 * 24 * 7; // 7 days
+                    writePersistentLoginToken($token, $time);
+                    // setcookie($name, $value, $expire, $path, $domain, $secure, $httponly)
+                    setcookie('persistentlogin', $token, $time, null, null, null, true);
                 }
 
                 $_SESSION['auth'] = true;

diff --git a/scripts/pi-hole/php/persistentlogin_token.php b/scripts/pi-hole/php/persistentlogin_token.php
@@ -0,0 +1,83 @@
+<?php
+/* Pi-hole: A black hole for Internet advertisements
+*  (c) 2017 Pi-hole, LLC (https://pi-hole.net)
+*  Network-wide ad blocking via your own hardware.
+*
+*  This file is copyright under the latest version of the EUPL.
+*  Please see LICENSE file for your rights under this license.
+*/
+
+
+function genPersistentLoginToken()
+{
+    return bin2hex(openssl_random_pseudo_bytes(16));
+}
+
+function checkSafetyPersistentLoginToken($token)
+{
+    // return true only if the token is and alphanumeric string of 32 chars, else return false
+    if (ctype_alnum($token) and strlen($token) == 32) {
+        return true;
+    }
+    error_log("Security alert: presented \"persistentlogin\" token did not pass safety check!", 0);
+    return false;
+}
+
+function getPathPersistentLoginToken($token)
+{
+    // safely return the path of the persistentlogin token file, if token is not safe return false
+    $session_path = session_save_path();
+
+    if ($session_path and checkSafetyPersistentLoginToken($token)) {
+        $token_file = $session_path . '/ph_plt_' . $token . '.txt';
+        return $token_file;
+    }
+    return false;
+}
+
+function checkValidityPersistentLoginToken($token)
+{
+    // return true if persistentlogin token is safe, valid and not expired
+    $token_file = getPathPersistentLoginToken($token);
+
+    if ($token_file and file_exists($token_file) and is_readable($token_file)) {
+        $t_file = fopen($token_file, "r");
+        if ($t_file) {
+            $time = fread($t_file, filesize($token_file));
+            fclose($t_file);
+            // make sure that token is not expired
+            if ($time && intval($time) >= time()) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+
+function writePersistentLoginToken($token, $time)
+{
+    $token_file = getPathPersistentLoginToken($token);
+
+    if ($token_file and !file_exists($token_file)) {
+        $t_file = fopen($token_file, "w");
+        if ($t_file) {
+            // make sure persistent login token file is not readable by other users
+            chmod($token_file, 0600);
+
+            fwrite($t_file, $time);
+            fclose($t_file);
+            return true;
+        }
+    }
+    return false;
+}
+
+function logoutPersistentLoginToken($token)
+{
+    setcookie('persistentlogin', '', 1);
+
+    $token_file = getPathPersistentLoginToken($token);
+    if ($token_file and file_exists($token_file) and is_writable($token_file)) {
+        unlink($token_file);
+    }
+}