From b3c805d7d0f62cf322de21f09ba066b418d8712d Mon Sep 17 00:00:00 2001 From: Waitman Gobble Date: Mon, 18 Sep 2017 06:02:14 -0500 Subject: prevent 'my_address' being set with bogus info After a user has authenticated, it is possible to set my_address in $_SESSION to 'anything' using zid= parameter in URL - if user is authenticated then zid is never set. This change kills the authenticated switch if a person sends a new zid through for processing, which will trigger remote authentication. --- Zotlabs/Web/WebServer.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'Zotlabs/Web/WebServer.php') diff --git a/Zotlabs/Web/WebServer.php b/Zotlabs/Web/WebServer.php index 8431a2e0e..d517eda49 100644 --- a/Zotlabs/Web/WebServer.php +++ b/Zotlabs/Web/WebServer.php @@ -58,7 +58,11 @@ class WebServer { if((x($_GET,'zid')) && (! \App::$install)) { \App::$query_string = strip_zids(\App::$query_string); if(! local_channel()) { - $_SESSION['my_address'] = $_GET['zid']; + if ($_SESSION['my_address']!=$_GET['zid']) + { + $_SESSION['my_address'] = $_GET['zid']; + $_SESSION['authenticated'] = 0; + } zid_init(); } } -- cgit v1.2.3