From b3c805d7d0f62cf322de21f09ba066b418d8712d Mon Sep 17 00:00:00 2001
From: Waitman Gobble <waitman@waitman.net>
Date: Mon, 18 Sep 2017 06:02:14 -0500
Subject: prevent 'my_address' being set with bogus info

After a user has authenticated, it is possible to set my_address in $_SESSION to 'anything' using zid= parameter in URL - if user is authenticated then zid is never set. This change kills the authenticated switch if a person sends a new zid through for processing, which will trigger remote authentication.
---
 Zotlabs/Web/WebServer.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'Zotlabs')

diff --git a/Zotlabs/Web/WebServer.php b/Zotlabs/Web/WebServer.php
index 8431a2e0e..d517eda49 100644
--- a/Zotlabs/Web/WebServer.php
+++ b/Zotlabs/Web/WebServer.php
@@ -58,7 +58,11 @@ class WebServer {
 		if((x($_GET,'zid')) && (! \App::$install)) {
 			\App::$query_string = strip_zids(\App::$query_string);
 			if(! local_channel()) {
-				$_SESSION['my_address'] = $_GET['zid'];
+                                if ($_SESSION['my_address']!=$_GET['zid'])
+                                {
+                                        $_SESSION['my_address'] = $_GET['zid'];
+                                        $_SESSION['authenticated'] = 0;
+                                }
 				zid_init();
 			}
 		}
-- 
cgit v1.2.3