aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2016-10-09 21:36:55 -0700
committerzotlabs <mike@macgirvin.com>2016-10-09 21:36:55 -0700
commitaf13e5fa4a88691dc1d7a7474890b381fbb44aab (patch)
tree774df13b348889832f5c84f31b51df794d75c971
parent8eac8132e31106c4220c496229f68496e0d8bc08 (diff)
downloadvolse-hubzilla-af13e5fa4a88691dc1d7a7474890b381fbb44aab.tar.gz
volse-hubzilla-af13e5fa4a88691dc1d7a7474890b381fbb44aab.tar.bz2
volse-hubzilla-af13e5fa4a88691dc1d7a7474890b381fbb44aab.zip
since the snap module runs without permissions controls, verify the logged in channel matches the requested cloud path
-rw-r--r--Zotlabs/Module/Snap.php9
1 files changed, 9 insertions, 0 deletions
diff --git a/Zotlabs/Module/Snap.php b/Zotlabs/Module/Snap.php
index 8e52d85ac..89aebc097 100644
--- a/Zotlabs/Module/Snap.php
+++ b/Zotlabs/Module/Snap.php
@@ -58,6 +58,15 @@ class Snap extends \Zotlabs\Web\Controller {
else
killme();
+ if($_SERVER['PHP_AUTH_USER'] && $_SERVER['PHP_AUTH_USER'] !== $which)
+ killme();
+
+ if(local_channel()) {
+ $c = \App::get_channel();
+ if($c && $c['channel_address'] !== $which)
+ killme();
+ }
+
if(! in_array(strtolower($_SERVER['REQUEST_METHOD']),['propfind','get','head']))
killme();