aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWaitman Gobble <waitman@waitman.net>2017-09-18 06:02:14 -0500
committerGitHub <noreply@github.com>2017-09-18 06:02:14 -0500
commitb3c805d7d0f62cf322de21f09ba066b418d8712d (patch)
tree3f29252e977dc4b999472367baa2ed2032c6e293
parent5c379b4d356169b8eada1f6e1851dbc7f5af6933 (diff)
downloadvolse-hubzilla-b3c805d7d0f62cf322de21f09ba066b418d8712d.tar.gz
volse-hubzilla-b3c805d7d0f62cf322de21f09ba066b418d8712d.tar.bz2
volse-hubzilla-b3c805d7d0f62cf322de21f09ba066b418d8712d.zip
prevent 'my_address' being set with bogus info
After a user has authenticated, it is possible to set my_address in $_SESSION to 'anything' using zid= parameter in URL - if user is authenticated then zid is never set. This change kills the authenticated switch if a person sends a new zid through for processing, which will trigger remote authentication.
-rw-r--r--Zotlabs/Web/WebServer.php6
1 files changed, 5 insertions, 1 deletions
diff --git a/Zotlabs/Web/WebServer.php b/Zotlabs/Web/WebServer.php
index 8431a2e0e..d517eda49 100644
--- a/Zotlabs/Web/WebServer.php
+++ b/Zotlabs/Web/WebServer.php
@@ -58,7 +58,11 @@ class WebServer {
if((x($_GET,'zid')) && (! \App::$install)) {
\App::$query_string = strip_zids(\App::$query_string);
if(! local_channel()) {
- $_SESSION['my_address'] = $_GET['zid'];
+ if ($_SESSION['my_address']!=$_GET['zid'])
+ {
+ $_SESSION['my_address'] = $_GET['zid'];
+ $_SESSION['authenticated'] = 0;
+ }
zid_init();
}
}