From 7bff60edacd68ef3dccf6f956e9c57092919950a Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sat, 2 Sep 2017 14:04:37 -0700 Subject: may be exploitable in current form - awaiting review --- Zotlabs/Module/Cdav.php | 2 ++ Zotlabs/Module/Dav.php | 2 ++ include/api_auth.php | 3 ++- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Zotlabs/Module/Cdav.php b/Zotlabs/Module/Cdav.php index abaec26a6..ec177ae2a 100644 --- a/Zotlabs/Module/Cdav.php +++ b/Zotlabs/Module/Cdav.php @@ -64,6 +64,8 @@ class Cdav extends \Zotlabs\Web\Controller { if(! ($verified && $verified['header_signed'] && $verified['header_valid'])) { $record = null; } +// requires security review +$record = null; if($record['account']) { authenticate_success($record['account']); if($channel_login) { diff --git a/Zotlabs/Module/Dav.php b/Zotlabs/Module/Dav.php index d506fe9f5..5cd0c9c5e 100644 --- a/Zotlabs/Module/Dav.php +++ b/Zotlabs/Module/Dav.php @@ -73,6 +73,8 @@ class Dav extends \Zotlabs\Web\Controller { if(! ($verified && $verified['header_signed'] && $verified['header_valid'])) { $record = null; } +// requires security review +$record = null; if($record['account']) { authenticate_success($record['account']); if($channel_login) { diff --git a/include/api_auth.php b/include/api_auth.php index 0818fa54b..0acd4ac68 100644 --- a/include/api_auth.php +++ b/include/api_auth.php @@ -85,7 +85,8 @@ function api_login(&$a){ else { continue; } - +// requires security review +$record = null; if($record) { $verified = \Zotlabs\Web\HTTPSig::verify('',$record['channel']['channel_pubkey']); if(! ($verified && $verified['header_signed'] && $verified['header_valid'])) { -- cgit v1.2.3