Headline
CVE-2022-35947: Ensure token based authentication only accept strings · glpi-project/glpi@564309d
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions have been found to be vulnerable to a SQL injection attack which an attacker could leverage to simulate an arbitrary user login. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should disable the Enable login with external token API configuration.
@@ -173,13 +173,22 @@ public function testGetFromDBbyToken()
$this->array($user2->fields)->isIdenticalTo($user->fields);
$this->when(
function () use ($uid) {
$this->testedInstance->getFromDBbyToken($uid, ‘my_field’);
function () {
$this->testedInstance->getFromDBbyToken('1485dd60301311eda2610242ac12000249aef69a’, ‘my_field’);
}
)->error
->withType(E_USER_WARNING)
->withMessage(‘User::getFromDBbyToken() can only be called with $field parameter with theses values: \’personal_token\’, \’api_token\’’)
->exists();
->withType(E_USER_WARNING)
->withMessage(‘User::getFromDBbyToken() can only be called with $field parameter with theses values: \’personal_token\’, \’api_token\’’)
->exists();
$this->when(
function () {
$this->testedInstance->getFromDBbyToken(['REGEX’, ‘.*’], ‘api_token’);
}
)->error()
->withType(E_USER_WARNING)
->withMessage(‘Unexpected token value received: “string” expected, received "array".’)
->exists();
}
public function testPrepareInputForAdd()