pristine/SOURCES/ajaxterm-0.10-CVE-2009-1629.patch

--- ajaxterm-0.10-4.orig/ajaxterm.js    2006-10-28 21:52:39.000000000 -0500
+++ ajaxterm-0.10-4.orig/ajaxterm.js    2010-02-04 19:45:11.000000000 -0600
@@ -3,7 +3,24 @@ ajaxterm.Terminal_ctor=function(id,width
        var ie=0;
        if(window.ActiveXObject)
                ie=1;
-       var sid=""+Math.round(Math.random()*1000000000);
+
+       var sid="";
+
+       for (var i=0; i < 128; i++) {
+           var r = 0;
+           // now get a random number between 0 and 255
+           // numbers not in the range are intentionally discarded
+           // as it reduces the chance of predicting the seed, by not
+           // using all of the numbers generated by the PRNG
+           do {
+                   r = Math.round(Math.random()*1000);
+           } while(r >= 255);
+           r = r.toString(16);
+           if (r.length == 1)
+                   r = "0"+r;
+           sid += "%" + r;
+       }
+
        var query0="s="+sid+"&w="+width+"&h="+height;
        var query1=query0+"&c=1&k=";
        var buf="";
--- ajaxterm-0.10-4.orig/ajaxterm.py    2006-10-28 21:52:39.000000000 -0500
+++ ajaxterm-0.10-4.orig/ajaxterm.py    2010-02-04 20:01:50.000000000 -0600
@@ -2,7 +2,14 @@ 
 
 """ Ajaxterm """
 
-import array,cgi,fcntl,glob,mimetypes,optparse,os,pty,random,re,signal,select,sys,threading,time,termios,struct,pwd
+import array,cgi,fcntl,glob,mimetypes,optparse,os,pty,random,re,signal,select,sys,threading,time,termios,struct,pwd,Cookie
+from datetime import datetime, timedelta
+
+try:
+       from hashlib import sha1
+except ImportError:
+       import sha
+       sha1 = sha.new
 
 os.chdir(os.path.normpath(os.path.dirname(__file__)))
 # Optional: Add QWeb in sys path
@@ -483,30 +490,61 @@ class AjaxTerm:
                self.mime['.html']= 'text/html; charset=UTF-8'
                self.multi = Multiplex(cmd)
                self.session = {}
+               self.session_ip = {}
+               self.sessions_limit = 20
+               self.sessions_user_limit = 4
+               m = sha1()
+               m.update(os.urandom(128))
+               self.cookie_name = m.hexdigest()
        def __call__(self, environ, start_response):
                req = qweb.QWebRequest(environ, start_response,session=None)
                if req.PATH_INFO.endswith('/u'):
+                       req.response_headers['Content-Type']='text/xml'
+                       uid=""
+                       if self.cookie_name not in req.request_cookies:
+                               req.write('<?xml version="1.0"?><idem></idem>')
+                               return req
+                       uid = req.request_cookies[self.cookie_name].value
                        s=req.REQUEST["s"]
                        k=req.REQUEST["k"]
                        c=req.REQUEST["c"]
                        w=req.REQUEST.int("w")
                        h=req.REQUEST.int("h")
-                       if s in self.session:
-                               term=self.session[s]
+                       ip="unknown"
+                       if environ.has_key("REMOTE_ADDR"):
+                               ip=environ['REMOTE_ADDR']
+                               if ip == "127.0.0.1" and environ.has_key("HTTP_X_FORWARDED_FOR"):
+                                   ip=environ["HTTP_X_FORWARDED_FOR"]
+
+                       if (uid+s) in self.session:
+                               term=self.session[uid+s]
+                               req.response_cookies.load(req.request_cookies[self.cookie_name].OutputString())
+                               req.response_cookies[self.cookie_name]['expires'] = datetime.utcnow()+timedelta(seconds=60)
                        else:
                                if not (w>2 and w<256 and h>2 and h<100):
                                        w,h=80,25
-                               term=self.session[s]=self.multi.create(w,h)
+                               # check if there aren't too many open sessions
+                               if len(self.session) < self.sessions_limit:
+                                       count=0
+                                       for i in self.session_ip.keys():
+                                               if self.session_ip[i] == ip:
+                                                       count+=1
+                                       if count <= self.sessions_user_limit:
+                                               term=self.session[uid+s]=self.multi.create(w,h)
+                                               self.session_ip[uid+s]=ip
+                                       else:
+                                               req.write('<?xml version="1.0"?><idem></idem>')
+                                               return req
                        if k:
                                self.multi.proc_write(term,k)
                        time.sleep(0.002)
                        dump=self.multi.dump(term,c)
-                       req.response_headers['Content-Type']='text/xml'
                        if isinstance(dump,str):
                                req.write(dump)
                                req.response_gzencode=1
                        else:
-                               del self.session[s]
+                               del self.session[uid+s]
+                               del self.session_ip[uid+s]
                                req.write('<?xml version="1.0"?><idem></idem>')
 #                      print "sessions %r"%self.session
                else:
@@ -515,9 +553,23 @@ class AjaxTerm:
                                req.response_headers['Content-Type'] = self.mime.get(os.path.splitext(n)[1].lower(), 'application/octet-stream')
                                req.write(self.files[n])
                        else:
+                               if self.cookie_name not in req.request_cookies:
+                                   self.genSidCookie(req)
                                req.response_headers['Content-Type'] = 'text/html; charset=UTF-8'
                                req.write(self.files['index'])
                return req
+       def genSidCookie(self, req):
+               m = sha1()
+               m.update(os.urandom(160))
+               req.response_cookies[self.cookie_name] = m.hexdigest()
+               # try to set httponly if supported (added in 2.6)
+               try:
+                   req.response_cookies[self.cookie_name]['httponly'] = 1
+               except (Cookie.CookieError):
+                   pass
+               req.response_cookies[self.cookie_name]['path'] = req.PATH_INFO
+               req.response_cookies[self.cookie_name]['expires'] = datetime.utcnow()+timedelta(seconds=60)
+               return req
 
 def main():
        parser = optparse.OptionParser()
1	--- ajaxterm-0.10-4.orig/ajaxterm.js 2006-10-28 21:52:39.000000000 -0500
2	+++ ajaxterm-0.10-4.orig/ajaxterm.js 2010-02-04 19:45:11.000000000 -0600
3	@@ -3,7 +3,24 @@ ajaxterm.Terminal_ctor=function(id,width
4	var ie=0;
5	if(window.ActiveXObject)
6	ie=1;
7	- var sid=""+Math.round(Math.random()*1000000000);
8	+
9	+ var sid="";
10	+
11	+ for (var i=0; i < 128; i++) {
12	+ var r = 0;
13	+ // now get a random number between 0 and 255
14	+ // numbers not in the range are intentionally discarded
15	+ // as it reduces the chance of predicting the seed, by not
16	+ // using all of the numbers generated by the PRNG
17	+ do {
18	+ r = Math.round(Math.random()*1000);
19	+ } while(r >= 255);
20	+ r = r.toString(16);
21	+ if (r.length == 1)
22	+ r = "0"+r;
23	+ sid += "%" + r;
24	+ }
25	+
26	var query0="s="+sid+"&w="+width+"&h="+height;
27	var query1=query0+"&c=1&k=";
28	var buf="";
29	--- ajaxterm-0.10-4.orig/ajaxterm.py 2006-10-28 21:52:39.000000000 -0500
30	+++ ajaxterm-0.10-4.orig/ajaxterm.py 2010-02-04 20:01:50.000000000 -0600
31	@@ -2,7 +2,14 @@
32
33	""" Ajaxterm """
34
35	-import array,cgi,fcntl,glob,mimetypes,optparse,os,pty,random,re,signal,select,sys,threading,time,termios,struct,pwd
36	+import array,cgi,fcntl,glob,mimetypes,optparse,os,pty,random,re,signal,select,sys,threading,time,termios,struct,pwd,Cookie
37	+from datetime import datetime, timedelta
38	+
39	+try:
40	+ from hashlib import sha1
41	+except ImportError:
42	+ import sha
43	+ sha1 = sha.new
44
45	os.chdir(os.path.normpath(os.path.dirname(__file__)))
46	# Optional: Add QWeb in sys path
47	@@ -483,30 +490,61 @@ class AjaxTerm:
48	self.mime['.html']= 'text/html; charset=UTF-8'
49	self.multi = Multiplex(cmd)
50	self.session = {}
51	+ self.session_ip = {}
52	+ self.sessions_limit = 20
53	+ self.sessions_user_limit = 4
54	+ m = sha1()
55	+ m.update(os.urandom(128))
56	+ self.cookie_name = m.hexdigest()
57	def __call__(self, environ, start_response):
58	req = qweb.QWebRequest(environ, start_response,session=None)
59	if req.PATH_INFO.endswith('/u'):
60	+ req.response_headers['Content-Type']='text/xml'
61	+ uid=""
62	+ if self.cookie_name not in req.request_cookies:
63	+ req.write('<?xml version="1.0"?><idem></idem>')
64	+ return req
65	+ uid = req.request_cookies[self.cookie_name].value
66	s=req.REQUEST["s"]
67	k=req.REQUEST["k"]
68	c=req.REQUEST["c"]
69	w=req.REQUEST.int("w")
70	h=req.REQUEST.int("h")
71	- if s in self.session:
72	- term=self.session[s]
73	+ ip="unknown"
74	+ if environ.has_key("REMOTE_ADDR"):
75	+ ip=environ['REMOTE_ADDR']
76	+ if ip == "127.0.0.1" and environ.has_key("HTTP_X_FORWARDED_FOR"):
77	+ ip=environ["HTTP_X_FORWARDED_FOR"]
78	+
79	+ if (uid+s) in self.session:
80	+ term=self.session[uid+s]
81	+ req.response_cookies.load(req.request_cookies[self.cookie_name].OutputString())
82	+ req.response_cookies[self.cookie_name]['expires'] = datetime.utcnow()+timedelta(seconds=60)
83	else:
84	if not (w>2 and w<256 and h>2 and h<100):
85	w,h=80,25
86	- term=self.session[s]=self.multi.create(w,h)
87	+ # check if there aren't too many open sessions
88	+ if len(self.session) < self.sessions_limit:
89	+ count=0
90	+ for i in self.session_ip.keys():
91	+ if self.session_ip[i] == ip:
92	+ count+=1
93	+ if count <= self.sessions_user_limit:
94	+ term=self.session[uid+s]=self.multi.create(w,h)
95	+ self.session_ip[uid+s]=ip
96	+ else:
97	+ req.write('<?xml version="1.0"?><idem></idem>')
98	+ return req
99	if k:
100	self.multi.proc_write(term,k)
101	time.sleep(0.002)
102	dump=self.multi.dump(term,c)
103	- req.response_headers['Content-Type']='text/xml'
104	if isinstance(dump,str):
105	req.write(dump)
106	req.response_gzencode=1
107	else:
108	- del self.session[s]
109	+ del self.session[uid+s]
110	+ del self.session_ip[uid+s]
111	req.write('<?xml version="1.0"?><idem></idem>')
112	# print "sessions %r"%self.session
113	else:
114	@@ -515,9 +553,23 @@ class AjaxTerm:
115	req.response_headers['Content-Type'] = self.mime.get(os.path.splitext(n)[1].lower(), 'application/octet-stream')
116	req.write(self.files[n])
117	else:
118	+ if self.cookie_name not in req.request_cookies:
119	+ self.genSidCookie(req)
120	req.response_headers['Content-Type'] = 'text/html; charset=UTF-8'
121	req.write(self.files['index'])
122	return req
123	+ def genSidCookie(self, req):
124	+ m = sha1()
125	+ m.update(os.urandom(160))
126	+ req.response_cookies[self.cookie_name] = m.hexdigest()
127	+ # try to set httponly if supported (added in 2.6)
128	+ try:
129	+ req.response_cookies[self.cookie_name]['httponly'] = 1
130	+ except (Cookie.CookieError):
131	+ pass
132	+ req.response_cookies[self.cookie_name]['path'] = req.PATH_INFO
133	+ req.response_cookies[self.cookie_name]['expires'] = datetime.utcnow()+timedelta(seconds=60)
134	+ return req
135
136	def main():
137	parser = optparse.OptionParser()