may be exploitable in current form - awaiting review

2017-09-02 14:04:37 -07:00 · 2017-09-02 14:04:37 -07:00 · 7bff60edac
commit 7bff60edac
parent 5bffae6219
3 changed files with 6 additions and 1 deletions
--- a/Zotlabs/Module/Cdav.php
+++ b/Zotlabs/Module/Cdav.php
@ -64,6 +64,8 @@ class Cdav extends \Zotlabs\Web\Controller {
 								if(! ($verified && $verified['header_signed'] && $verified['header_valid'])) {
 									$record = null;
 								}
+// requires security review
+$record = null;
 								if($record['account']) {
 							        authenticate_success($record['account']);
 							        if($channel_login) {
--- a/Zotlabs/Module/Dav.php
+++ b/Zotlabs/Module/Dav.php
@ -73,6 +73,8 @@ class Dav extends \Zotlabs\Web\Controller {
 							if(! ($verified && $verified['header_signed'] && $verified['header_valid'])) {
 								$record = null;
 							}
+// requires security review
+$record = null;
 							if($record['account']) {
 						        authenticate_success($record['account']);
 						        if($channel_login) {
--- a/include/api_auth.php
+++ b/include/api_auth.php
@ -85,7 +85,8 @@ function api_login(&$a){
 					else {
 						continue;
 					}
-
+// requires security review
+$record = null;
 					if($record) {					
 						$verified = \Zotlabs\Web\HTTPSig::verify('',$record['channel']['channel_pubkey']);
 						if(! ($verified && $verified['header_signed'] && $verified['header_valid'])) {