harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

since the snap module runs without permissions controls, verify the logged in channel matches the requested cloud path

Browse Source
This commit is contained in:
zotlabs 2016-10-09 21:36:55 -07:00
parent 8eac8132e3
commit af13e5fa4a
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Zotlabs/Module/Snap.php
View File

@ -58,6 +58,15 @@ class Snap extends \Zotlabs\Web\Controller {
else else
killme(); killme();
if($_SERVER['PHP_AUTH_USER'] && $_SERVER['PHP_AUTH_USER'] !== $which)
killme();
if(local_channel()) {
$c = \App::get_channel();
if($c && $c['channel_address'] !== $which)
killme();
}
if(! in_array(strtolower($_SERVER['REQUEST_METHOD']),['propfind','get','head'])) if(! in_array(strtolower($_SERVER['REQUEST_METHOD']),['propfind','get','head']))
killme(); killme();