system: address CVE-2019-11816 privlege escalation bugs

Reported by: Arnaud Cordier
2026-03-14 00:24:40 +00:00 · 2019-05-19 09:39:18 +02:00 · 2019-05-19 09:39:18 +02:00 · 03c75f71be
commit 03c75f71be
parent 28ed5741f4
2 changed files with 21 additions and 7 deletions
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@ -198,8 +198,17 @@ set_language();
 /*
 * redirect to first allowed page if requesting a wrong url
 */
-$page =  $_SERVER['REQUEST_URI']  == "/" ? "/index.php" : $_SERVER['REQUEST_URI'];
-if ($_SESSION['Username'] != 'root' && !$acl->isPageAccessible($_SESSION['Username'],$page)) {
+if ($_SERVER['REQUEST_URI']  == '/') {
+    $page = '/index.php';
+} else {
+    /* reconstruct page uri to use actual script location, mimic realpath() behaviour */
+    $page = $_SERVER['SCRIPT_NAME'];
+    $tmp_uri = parse_url($_SERVER['REQUEST_URI']);
+    if (!empty($tmp_uri['query'])) {
+        $page .= '?' . $tmp_uri['query'];
+    }
+}
+if ($_SESSION['Username'] != 'root' && !$acl->isPageAccessible($_SESSION['Username'], $page)) {
    if (session_status() == PHP_SESSION_NONE) {
        session_start();
    }
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
@ -181,7 +181,7 @@ class ACL
     * @param string $urlmask regex mask
     * @return bool url matches mask
     */
-    private function urlMatch($url, $urlmask)
+    public function urlMatch($url, $urlmask)
    {
        /* "." and "?" have no effect on match, but "*" is a wildcard */
        $match = str_replace(array('.', '*','?'), array('\.', '.*','\?'), $urlmask);
@ -242,6 +242,14 @@ class ACL
                }
            }
        }
+
+        /*
+         * Always allow logout and menu, should be yielded as final items
+         * to prevent redirect to the logout page in case unauthorised
+         * pages are tried.
+         */
+        yield 'index.php?logout';
+        yield 'api/core/menu/*';
    }

    /**
@ -252,10 +260,7 @@ class ACL
     */
    public function isPageAccessible($username, $url)
    {
-        if ($url == '/index.php?logout' || strpos($url, 'api/core/menu/') !== false) {
-            // always allow logout and menu, could use better structuring...
-            return true;
-        } elseif (!empty($_SESSION['user_shouldChangePassword'])) {
+        if (!empty($_SESSION['user_shouldChangePassword'])) {
            // when a password change is enforced, lock all other endpoints
            return $this->urlMatch($url, 'system_usermanager_passwordmg.php*');
        }