[Patches] [PATCH] Bug 6627 [Signed Off] - Update to improve security in

koha-patchbot at kohaaloha.com koha-patchbot at kohaaloha.com
Sat Dec 31 08:40:03 NZDT 2011


From: Duncan Tyler <duncan at catalyst.net.nz>
Date: Wed, 21 Dec 2011 14:59:21 +1300
Subject: [PATCH] Bug 6627 [Signed Off] - Update to improve security in
 specified log files - bug 6627
Content-Type: text/plain; charset="utf-8"

Signed-off-by: Liz Rea <wizzyrea at gmail.com>
Verified sessionlog file is not written to /tmp when patch is applied. Also verified original bug - logging in did in fact log to /tmp.
---
 C4/Auth.pm               |    8 ++++----
 C4/Print.pm              |   10 +++++++++-
 installer/InstallAuth.pm |    3 ++-
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index e360e10..bbe472b 100755
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -703,7 +703,7 @@ sub checkauth {
             $session->flush;
             $session->delete();
             C4::Context->_unset_userenv($sessionID);
-            _session_log(sprintf "%20s from %16s logged out at %30s (manually).\n", $userid,$ip,(strftime "%c",localtime));
+            #_session_log(sprintf "%20s from %16s logged out at %30s (manually).\n", $userid,$ip,(strftime "%c",localtime));
             $sessionID = undef;
             $userid    = undef;
 
@@ -716,7 +716,7 @@ sub checkauth {
             $info{'timed_out'} = 1;
             $session->delete();
             C4::Context->_unset_userenv($sessionID);
-            _session_log(sprintf "%20s from %16s logged out at %30s (inactivity).\n", $userid,$ip,(strftime "%c",localtime));
+            #_session_log(sprintf "%20s from %16s logged out at %30s (inactivity).\n", $userid,$ip,(strftime "%c",localtime));
             $userid    = undef;
             $sessionID = undef;
         }
@@ -727,7 +727,7 @@ sub checkauth {
             $info{'different_ip'} = 1;
             $session->delete();
             C4::Context->_unset_userenv($sessionID);
-            _session_log(sprintf "%20s from %16s logged out at %30s (ip changed to %16s).\n", $userid,$ip,(strftime "%c",localtime), $info{'newip'});
+            #_session_log(sprintf "%20s from %16s logged out at %30s (ip changed to %16s).\n", $userid,$ip,(strftime "%c",localtime), $info{'newip'});
             $sessionID = undef;
             $userid    = undef;
         }
@@ -765,7 +765,7 @@ sub checkauth {
 		    $userid = $retuserid if ($retuserid ne '');
 		}
 		if ($return) {
-               _session_log(sprintf "%20s from %16s logged in  at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime));
+               #_session_log(sprintf "%20s from %16s logged in  at %30s.\n", $userid,$ENV{'REMOTE_ADDR'},(strftime '%c', localtime));
             	if ( $flags = haspermission(  $userid, $flagsrequired ) ) {
 					$loggedin = 1;
             	}
diff --git a/C4/Print.pm b/C4/Print.pm
index 2ba7584d..f810816 100644
--- a/C4/Print.pm
+++ b/C4/Print.pm
@@ -79,7 +79,8 @@ sub remoteprint ($$) {
     # to have spaces in them). Or perhaps if $queue eq "" and
     # $env->{file} ne "", then that should mean "print to $env->{file}".
     if ( $queue eq "" || $queue eq 'nulllp' ) {
-        open( PRINTER, ">/tmp/kohaiss" );
+        return;
+	#open( PRINTER, ">/tmp/kohaiss" );
     }
     else {
 
@@ -125,6 +126,10 @@ sub remoteprint ($$) {
 }
 
 sub printreserve {
+
+    # FIXME - make useful
+    return;
+
     my ( $branchname, $bordata, $itemdata ) = @_;
     my $printer = '';
     (return) unless ( C4::Context->boolean_preference('printreserveslips') );
@@ -175,6 +180,9 @@ print a slip for the given $borrowernumber
 
 #'
 sub printslip ($) {
+
+    #FIXME - make useful
+
     my $borrowernumber = shift;
     my $borrower   = GetMemberDetails($borrowernumber);
 	my $issueslist = GetPendingIssues($borrowernumber); 
diff --git a/installer/InstallAuth.pm b/installer/InstallAuth.pm
index 10cbea3..ccdcbcb 100644
--- a/installer/InstallAuth.pm
+++ b/installer/InstallAuth.pm
@@ -274,7 +274,8 @@ sub checkauth {
             C4::Context->_unset_userenv($sessionID);
             $sessionID = undef;
             $userid    = undef;
-            open L, ">>/tmp/sessionlog";
+	   # Commented out due to its lack of usefulness
+           # open L, ">>/tmp/sessionlog";
             my $time = localtime( time() );
             printf L "%20s from %16s logged out at %30s (manually).\n", $userid,
               $ip, $time;
-- 
1.7.5.4


More information about the Patches mailing list