From fffe72a3fa6c187f029a2223d45b065ab1b0e56a Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 18 May 2021 10:51:29 -0400 Subject: [PATCH 1/2] Split calculateAuthHash out from generateAuthHash. API is sessionless, so we just want provide a means of getting the auth hash without caching or do anything else fancy with it. --- web/includes/auth.php | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/web/includes/auth.php b/web/includes/auth.php index 224f88abf..7e85e4ba2 100644 --- a/web/includes/auth.php +++ b/web/includes/auth.php @@ -208,6 +208,14 @@ function getAuthUser($auth) { return null; } // end getAuthUser($auth) +function calculateAuthHash($remoteAddr) { + global $user; + $local_time = localtime(); + $authKey = ZM_AUTH_HASH_SECRET.$user['Username'].$user['Password'].$remoteAddr.$local_time[2].$local_time[3].$local_time[4].$local_time[5]; + #ZM\Debug("Generated using hour:".$local_time[2] . ' mday:' . $local_time[3] . ' month:'.$local_time[4] . ' year: ' . $local_time[5] ); + return md5($authKey); +} + function generateAuthHash($useRemoteAddr, $force=false) { global $user; if (ZM_OPT_USE_AUTH and (ZM_AUTH_RELAY == 'hashed') and isset($user['Username']) and isset($user['Password']) and isset($_SESSION)) { @@ -218,16 +226,8 @@ function generateAuthHash($useRemoteAddr, $force=false) { # Appending the remoteAddr prevents us from using an auth hash generated for a different ip if ($force or ( !isset($_SESSION['AuthHash'.$_SESSION['remoteAddr']]) ) or ( $_SESSION['AuthHashGeneratedAt'] < $mintime )) { + $auth = calculateAuthHash($useRemoteAddr?$_SESSION['remoteAddr']:''); # Don't both regenerating Auth Hash if an hour hasn't gone by yet - $local_time = localtime(); - $authKey = ''; - if ($useRemoteAddr) { - $authKey = ZM_AUTH_HASH_SECRET.$user['Username'].$user['Password'].$_SESSION['remoteAddr'].$local_time[2].$local_time[3].$local_time[4].$local_time[5]; - } else { - $authKey = ZM_AUTH_HASH_SECRET.$user['Username'].$user['Password'].$local_time[2].$local_time[3].$local_time[4].$local_time[5]; - } - #ZM\Debug("Generated using hour:".$local_time[2] . ' mday:' . $local_time[3] . ' month:'.$local_time[4] . ' year: ' . $local_time[5] ); - $auth = md5($authKey); $_SESSION['AuthHash'.$_SESSION['remoteAddr']] = $auth; $_SESSION['AuthHashGeneratedAt'] = $time; # Because we don't write out the session, it shouldn't actually get written out to disk. However if it does, the GeneratedAt should protect us. From 8c7e00418700afe6f299c02d6bdb5b6df91d624f Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 18 May 2021 10:52:07 -0400 Subject: [PATCH 2/2] Use calculateAuthHash instead of generateAuthHash because we are sessionless and improve output on success and failure. Fixes #2329 --- web/api/app/Controller/MonitorsController.php | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/web/api/app/Controller/MonitorsController.php b/web/api/app/Controller/MonitorsController.php index 4ecca6236..eb4eecf1f 100644 --- a/web/api/app/Controller/MonitorsController.php +++ b/web/api/app/Controller/MonitorsController.php @@ -266,7 +266,7 @@ class MonitorsController extends AppController { if ( $mToken ) { $auth = ' -T '.$mToken; } else if ( ZM_AUTH_RELAY == 'hashed' ) { - $auth = ' -A '.generateAuthHash(ZM_AUTH_HASH_IPS); + $auth = ' -A '.calculateAuthHash(ZM_AUTH_HASH_IPS?$_SERVER['REMOTE_ADDR']:''); } else if ( ZM_AUTH_RELAY == 'plain' ) { # Plain requires the plain text password which must either be in request or stored in session $password = $this->request->query('pass') ? $this->request->query('pass') : $this->request->data('pass');; @@ -290,12 +290,19 @@ class MonitorsController extends AppController { } $shellcmd = escapeshellcmd(ZM_PATH_BIN."/zmu $verbose -m$id $q $auth"); - $status = exec ($shellcmd); - - $this->set(array( - 'status' => $status, - '_serialize' => array('status'), - )); + $status = exec($shellcmd, $output, $rc); + if ($status) { + $this->set(array( + 'status'=>$rc, + 'error'=>$output, + '_serialize' => array('status','error'), + )); + } else { + $this->set(array( + 'status' => 'Ok', + '_serialize' => array('status'), + )); + } } // Check if a daemon is running for the monitor id