mirror of
https://codeberg.org/streams/streams.git
synced 2024-09-20 12:35:13 +00:00
prevent 'my_address' being set with bogus info
After a user has authenticated, it is possible to set my_address in $_SESSION to 'anything' using zid= parameter in URL - if user is authenticated then zid is never set. This change kills the authenticated switch if a person sends a new zid through for processing, which will trigger remote authentication.
This commit is contained in:
parent
5c379b4d35
commit
b3c805d7d0
1 changed files with 5 additions and 1 deletions
|
@ -58,7 +58,11 @@ class WebServer {
|
|||
if((x($_GET,'zid')) && (! \App::$install)) {
|
||||
\App::$query_string = strip_zids(\App::$query_string);
|
||||
if(! local_channel()) {
|
||||
$_SESSION['my_address'] = $_GET['zid'];
|
||||
if ($_SESSION['my_address']!=$_GET['zid'])
|
||||
{
|
||||
$_SESSION['my_address'] = $_GET['zid'];
|
||||
$_SESSION['authenticated'] = 0;
|
||||
}
|
||||
zid_init();
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue