diff options
author | Waitman Gobble <waitman@waitman.net> | 2017-09-18 06:02:14 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-09-18 06:02:14 -0500 |
commit | b3c805d7d0f62cf322de21f09ba066b418d8712d (patch) | |
tree | 3f29252e977dc4b999472367baa2ed2032c6e293 /Zotlabs/Web | |
parent | 5c379b4d356169b8eada1f6e1851dbc7f5af6933 (diff) | |
download | volse-hubzilla-b3c805d7d0f62cf322de21f09ba066b418d8712d.tar.gz volse-hubzilla-b3c805d7d0f62cf322de21f09ba066b418d8712d.tar.bz2 volse-hubzilla-b3c805d7d0f62cf322de21f09ba066b418d8712d.zip |
prevent 'my_address' being set with bogus info
After a user has authenticated, it is possible to set my_address in $_SESSION to 'anything' using zid= parameter in URL - if user is authenticated then zid is never set. This change kills the authenticated switch if a person sends a new zid through for processing, which will trigger remote authentication.
Diffstat (limited to 'Zotlabs/Web')
-rw-r--r-- | Zotlabs/Web/WebServer.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/Zotlabs/Web/WebServer.php b/Zotlabs/Web/WebServer.php index 8431a2e0e..d517eda49 100644 --- a/Zotlabs/Web/WebServer.php +++ b/Zotlabs/Web/WebServer.php @@ -58,7 +58,11 @@ class WebServer { if((x($_GET,'zid')) && (! \App::$install)) { \App::$query_string = strip_zids(\App::$query_string); if(! local_channel()) { - $_SESSION['my_address'] = $_GET['zid']; + if ($_SESSION['my_address']!=$_GET['zid']) + { + $_SESSION['my_address'] = $_GET['zid']; + $_SESSION['authenticated'] = 0; + } zid_init(); } } |