harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

prevent 'my_address' being set with bogus info

Browse Source 
After a user has authenticated, it is possible to set my_address in $_SESSION to 'anything' using zid= parameter in URL - if user is authenticated then zid is never set. This change kills the authenticated switch if a person sends a new zid through for processing, which will trigger remote authentication.
This commit is contained in:
Waitman Gobble 2017-09-18 06:02:14 -05:00 committed by GitHub
parent 5c379b4d35
commit b3c805d7d0
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Zotlabs/Web/WebServer.php
View File

@ -58,7 +58,11 @@ class WebServer {
if((x($_GET,'zid')) && (! \App::$install)) { if((x($_GET,'zid')) && (! \App::$install)) {
\App::$query_string = strip_zids(\App::$query_string); \App::$query_string = strip_zids(\App::$query_string);
if(! local_channel()) { if(! local_channel()) {
if ($_SESSION['my_address']!=$_GET['zid'])
{
$_SESSION['my_address'] = $_GET['zid']; $_SESSION['my_address'] = $_GET['zid'];
$_SESSION['authenticated'] = 0;
}
zid_init(); zid_init();
} }
} }