From b5a0bb1d0fefe3b8f3ae6fc7cf9713e60cefcfe2 Mon Sep 17 00:00:00 2001
From: Marco Dickert <marco@misterunknown.de>
Date: Sun, 5 Mar 2017 22:26:50 +0100
Subject: [PATCH] fixed use of undefined index when checking for authentication

---
 ifm.php      | 26 ++++++++++++++------------
 src/main.php | 26 ++++++++++++++------------
 2 files changed, 28 insertions(+), 24 deletions(-)

diff --git a/ifm.php b/ifm.php
index 9d12ce3..6e0dbfa 100644
--- a/ifm.php
+++ b/ifm.php
@@ -1757,10 +1757,10 @@ ifm.init();
 	 */
 
 	public function checkAuth() {
-		if(IFMConfig::auth == 1 && $_SESSION['auth'] !== true) {
+		if( IFMConfig::auth == 1 && ( ! isset( $_SESSION['auth'] ) || $_SESSION['auth'] !== true ) ) {
 			$login_failed = false;
-			if(isset($_POST["user"]) && isset($_POST["pass"])) {
-				if($this->checkCredentials($_POST["user"], $_POST["pass"])) {
+			if( isset( $_POST["user"] ) && isset( $_POST["pass"] ) ) {
+				if( $this->checkCredentials( $_POST["user"], $_POST["pass"] ) ) {
 					$_SESSION['auth'] = true;
 				}
 				else {
@@ -1769,16 +1769,18 @@ ifm.init();
 				}
 			}
 
-			if($_SESSION['auth'] !== true) {
-				if(isset($_POST["api"]) && $login_failed === true)
-					echo json_encode(array("status"=>"ERROR", "message"=>"authentication failed"));
-				elseif(isset($_POST["api"]) && $login_failed !== true)
-					echo json_encode(array("status"=>"ERROR", "message"=>"not authenticated"));
-				else
-					$this->loginForm($login_failed);
-				return false;
-			} else {
+			if( isset( $_SESSION['auth'] ) && $_SESSION['auth'] === true ) {
 				return true;
+			} else {
+				if( isset( $_POST["api"] ) ) {
+					if( $login_failed === true )
+						echo json_encode( array( "status"=>"ERROR", "message"=>"authentication failed" ) );
+					else
+						echo json_encode( array( "status"=>"ERROR", "message"=>"not authenticated" ) );
+				} else {
+					$this->loginForm($login_failed);
+				}
+				return false;
 			}
 		} else {
 			return true;
diff --git a/src/main.php b/src/main.php
index eee05b7..41574d7 100644
--- a/src/main.php
+++ b/src/main.php
@@ -596,10 +596,10 @@ class IFM {
 	 */
 
 	public function checkAuth() {
-		if(IFMConfig::auth == 1 && $_SESSION['auth'] !== true) {
+		if( IFMConfig::auth == 1 && ( ! isset( $_SESSION['auth'] ) || $_SESSION['auth'] !== true ) ) {
 			$login_failed = false;
-			if(isset($_POST["user"]) && isset($_POST["pass"])) {
-				if($this->checkCredentials($_POST["user"], $_POST["pass"])) {
+			if( isset( $_POST["user"] ) && isset( $_POST["pass"] ) ) {
+				if( $this->checkCredentials( $_POST["user"], $_POST["pass"] ) ) {
 					$_SESSION['auth'] = true;
 				}
 				else {
@@ -608,16 +608,18 @@ class IFM {
 				}
 			}
 
-			if($_SESSION['auth'] !== true) {
-				if(isset($_POST["api"]) && $login_failed === true)
-					echo json_encode(array("status"=>"ERROR", "message"=>"authentication failed"));
-				elseif(isset($_POST["api"]) && $login_failed !== true)
-					echo json_encode(array("status"=>"ERROR", "message"=>"not authenticated"));
-				else
-					$this->loginForm($login_failed);
-				return false;
-			} else {
+			if( isset( $_SESSION['auth'] ) && $_SESSION['auth'] === true ) {
 				return true;
+			} else {
+				if( isset( $_POST["api"] ) ) {
+					if( $login_failed === true )
+						echo json_encode( array( "status"=>"ERROR", "message"=>"authentication failed" ) );
+					else
+						echo json_encode( array( "status"=>"ERROR", "message"=>"not authenticated" ) );
+				} else {
+					$this->loginForm($login_failed);
+				}
+				return false;
 			}
 		} else {
 			return true;