Bug#907815: gosa: UI behaves strangely, some data not saved

Dominik George natureshadow at debian.org
Fri Apr 19 12:01:24 BST 2019 

Hi,

> > The bug also happens in a new Debian Edu install, both stretch and buster,
> > and can also be triggered by using any list views in some random order, e.g.
> > when editing roles and groups of a few users in a row.
> 
> After some research and after looking at $_SESSION when the above described
> error occurs, I found this:
> https://stackoverflow.com/questions/1442177/storing-objects-in-php-session
> https://stackoverflow.com/questions/132194/php-storing-objects-inside-the-session
> 
> I stumbled over this comment in the gosa code, then:
> https://github.com/gosa-project/gosa-plugins-systems/blob/cf34737977a97e0090e09390b209078dabdc77af/admin/systems/class_systemManagement.inc#L90
> 
> So, in fact, this strange behavious is a known issue and we have been lucky
> enough to not stumble over it earlier.
> 
> The underlying cause of this is that the filter cache implementation stores
> PHP objects in $_SESSION (which one should not do when PHP is used for
> rendering a web page).
> 
> I fact, this could lead to all sorts of troubles, because the object
> reference stored in $_SESSION while loading URL-1 will very likely not be
> the same reference when URL-2 gets loaded and the object is retrieved again
> from $_SESSION. In fact, the old reference could point to anywhere in the
> PHP sessions RAM area (and thus deliver all sorts of artefact /
> unpredictable behaviour).

To anywhere in the session storage, as in, including data of other user
sessions and their possibly secret data? So…

> 
> I am not 100% sure, but I have a sense that this is actually worth a CVE.
> Thus, Cc:-ing the security-team for advice.

…it is.

> 
> I have tried to come up with some patches, but my sense is that the only
> good solution for now (buster release knocks at our door) is disabling the
> $_SESSION based filter cache and reload the "*-filter.xml files from the
> file system everytime a class_<what>Management based page is opened.

This does not cost us anything except some performance, which GOSa lacks
anyway ;). So I'd go with that, also for stable-security.

-nik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-pkg-team/attachments/20190419/911db927/attachment.sig>

More information about the Debian-edu-pkg-team mailing list