Verify HMAC of invirt-vnc token before unpickling anything. 0.0.11
authorJoshua Oreman <oremanj@rwcr.net>
Tue, 15 Mar 2011 03:50:14 +0000 (23:50 -0400)
committerJoshua Oreman <oremanj@rwcr.net>
Tue, 15 Mar 2011 03:50:14 +0000 (23:50 -0400)
debian/changelog
invirt-vnc-authtoken
python/vnc/extauth.py

index 1cbcba0..435adf2 100644 (file)
@@ -1,3 +1,10 @@
+invirt-vnc-server (0.0.11) unstable; urgency=low
+
+  * Verify HMAC of invirt-vnc token before unpickling anything.
+    Thanks to Nelson Elhage for the report.
+
+ -- Joshua Oreman <oremanj@mit.edu>  Mon, 14 Mar 2011 23:49:06 -0400
+
 invirt-vnc-server (0.0.10) unstable; urgency=low
 
   * Add missing dependency on python-openssl.
index a173f46..4600afb 100755 (executable)
@@ -24,9 +24,7 @@ def getAuthToken(username, machine, lifetime=5*60):
     pickled_data = cPickle.dumps(data)
     m = hmac.new(getTokenKey(), digestmod=sha)
     m.update(pickled_data)
-    token = {'data': pickled_data, 'digest': m.digest()}
-    token = cPickle.dumps(token)
-    token = base64.urlsafe_b64encode(token)
+    token = ".".join(map(base64.urlsafe_b64encode, (pickled_data, m.digest())))
     return token
 
 def main():
index a01a858..12176ca 100644 (file)
@@ -65,11 +65,10 @@ class VNCAuth(protocol.Protocol):
     def validateToken(self, token):
         self.auth_error = "Invalid token"
         try:
-            token = base64.urlsafe_b64decode(token)
-            token = cPickle.loads(token)
+            (pickled_data, digest) = map(base64.urlsafe_b64decode, token.split("."))
             m = hmac.new(getTokenKey(), digestmod=sha)
-            m.update(token['data'])
-            if (m.digest() == token['digest']):
+            m.update(pickled_data)
+            if (m.digest() == digest):
                 data = cPickle.loads(token['data'])
                 expires = data["expires"]
                 if (time.time() < expires):
@@ -79,7 +78,7 @@ class VNCAuth(protocol.Protocol):
                     self.auth_data = data
                 else:
                     self.auth_error = "Token has expired; please try logging in again"
-        except (TypeError, cPickle.UnpicklingError):
+        except (TypeError, ValueError, cPickle.UnpickleError):
             self.auth = None            
             print sys.exc_info()