From: Joshua Oreman <oremanj@rwcr.net>
Date: Tue, 15 Mar 2011 03:50:14 +0000 (-0400)
Subject: Verify HMAC of invirt-vnc token before unpickling anything.
X-Git-Tag: 0.0.11^0
X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-vnc-server.git/commitdiff_plain/f2c5a3fea1e12d20bc2ebe2393a3a3bf84ba06bf?hp=2857f03239df7a4d19f38041208115156eff8f69

Verify HMAC of invirt-vnc token before unpickling anything.
---

diff --git a/debian/changelog b/debian/changelog
index 1cbcba0..435adf2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+invirt-vnc-server (0.0.11) unstable; urgency=low
+
+  * Verify HMAC of invirt-vnc token before unpickling anything.
+    Thanks to Nelson Elhage for the report.
+
+ -- Joshua Oreman <oremanj@mit.edu>  Mon, 14 Mar 2011 23:49:06 -0400
+
 invirt-vnc-server (0.0.10) unstable; urgency=low
 
   * Add missing dependency on python-openssl.
diff --git a/invirt-vnc-authtoken b/invirt-vnc-authtoken
index a173f46..4600afb 100755
--- a/invirt-vnc-authtoken
+++ b/invirt-vnc-authtoken
@@ -24,9 +24,7 @@ def getAuthToken(username, machine, lifetime=5*60):
     pickled_data = cPickle.dumps(data)
     m = hmac.new(getTokenKey(), digestmod=sha)
     m.update(pickled_data)
-    token = {'data': pickled_data, 'digest': m.digest()}
-    token = cPickle.dumps(token)
-    token = base64.urlsafe_b64encode(token)
+    token = ".".join(map(base64.urlsafe_b64encode, (pickled_data, m.digest())))
     return token
 
 def main():
diff --git a/python/vnc/extauth.py b/python/vnc/extauth.py
index a01a858..12176ca 100644
--- a/python/vnc/extauth.py
+++ b/python/vnc/extauth.py
@@ -65,11 +65,10 @@ class VNCAuth(protocol.Protocol):
     def validateToken(self, token):
         self.auth_error = "Invalid token"
         try:
-            token = base64.urlsafe_b64decode(token)
-            token = cPickle.loads(token)
+            (pickled_data, digest) = map(base64.urlsafe_b64decode, token.split("."))
             m = hmac.new(getTokenKey(), digestmod=sha)
-            m.update(token['data'])
-            if (m.digest() == token['digest']):
+            m.update(pickled_data)
+            if (m.digest() == digest):
                 data = cPickle.loads(token['data'])
                 expires = data["expires"]
                 if (time.time() < expires):
@@ -79,7 +78,7 @@ class VNCAuth(protocol.Protocol):
                     self.auth_data = data
                 else:
                     self.auth_error = "Token has expired; please try logging in again"
-        except (TypeError, cPickle.UnpicklingError):
+        except (TypeError, ValueError, cPickle.UnpickleError):
             self.auth = None            
             print sys.exc_info()