Project

General

Profile

Actions

Regression #13757

closed

Circular dependency issue in ``auth.inc``/``authgui.inc``

Added by Jim Pingle about 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
Authentication
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Force Exclusion
Affected Version:
Affected Architecture:

Description

Some parts of auth.inc use a check for a function before doing some GUI-specific checks:

if (function_exists("display_error_form")) {

This function is defined in authgui.inc, but authgui.inc includes auth.inc before this function is defined.

I don't see how this could be working correctly unless something happened to include auth.inc twice.

The checks here used to work but perhaps something is behaving more appropriately in PHP 8.x which makes it (correctly) fail.

Actions #1

Updated by Jim Pingle about 2 years ago

Looks like this may have broken in 746f30e3ce1ff39c226a73bf87c86dd370ef239c with the added includes changing the order in which things were initially loaded.

Moving the authgui.inc include up to the top of guiconfig.inc fixes the behavior, but it's still awkward.

Actions #2

Updated by Jim Pingle about 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to In Progress
  • % Done changed from 100 to 0

That fix attempt ended up not incomplete, it could break CSRF in certain cases.

Still experimenting and checking into alternative solutions.

Actions #4

Updated by Jim Pingle about 2 years ago

Draft MR: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/984

At the moment the least disruptive way to correct the behavior is to hardcode the CSRF timeout so it is not read from the configuration, which allows us to reorder includes so that authgui.inc can load auth.inc first.

I'm still looking into alternate solution that will allow reading in the CSRF timeout value from the configuration but it's a tricky chicken-and-egg scenario it ends up in because loading config.inc loads in numerous other includes, but we can't load authgui before initializing CSRF because it can output things that need CSRF protection.

Actions #6

Updated by Jim Pingle about 2 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #7

Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to Resolved

Closing this for now as it appears to be working as expected given the current limitations for the moment.

I can trigger the DNS Rebind and/or HTTP_REFERER error by using an unknown hostname as expected depending on the context.

Actions #8

Updated by Jim Pingle almost 2 years ago

  • Private changed from Yes to No
  • Release Notes changed from Default to Force Exclusion
Actions

Also available in: Atom PDF