diff options
| author | zotlabs <mike@macgirvin.com> | 2016-10-09 21:36:55 -0700 |
|---|---|---|
| committer | zotlabs <mike@macgirvin.com> | 2016-10-09 21:36:55 -0700 |
| commit | af13e5fa4a88691dc1d7a7474890b381fbb44aab (patch) | |
| tree | 774df13b348889832f5c84f31b51df794d75c971 | |
| parent | 8eac8132e31106c4220c496229f68496e0d8bc08 (diff) | |
| download | volse-hubzilla-af13e5fa4a88691dc1d7a7474890b381fbb44aab.tar.gz volse-hubzilla-af13e5fa4a88691dc1d7a7474890b381fbb44aab.tar.bz2 volse-hubzilla-af13e5fa4a88691dc1d7a7474890b381fbb44aab.zip | |
since the snap module runs without permissions controls, verify the logged in channel matches the requested cloud path
| -rw-r--r-- | Zotlabs/Module/Snap.php | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/Zotlabs/Module/Snap.php b/Zotlabs/Module/Snap.php index 8e52d85ac..89aebc097 100644 --- a/Zotlabs/Module/Snap.php +++ b/Zotlabs/Module/Snap.php @@ -58,6 +58,15 @@ class Snap extends \Zotlabs\Web\Controller { else killme(); + if($_SERVER['PHP_AUTH_USER'] && $_SERVER['PHP_AUTH_USER'] !== $which) + killme(); + + if(local_channel()) { + $c = \App::get_channel(); + if($c && $c['channel_address'] !== $which) + killme(); + } + if(! in_array(strtolower($_SERVER['REQUEST_METHOD']),['propfind','get','head'])) killme(); |