mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-02-24 20:13:22 +01:00
Code Issues Releases Wiki Activity

[ticket/13234-2] Never allow autologin/remember me to modify the userid

Browse Source 
Ascraeus version of 64d97d0787a63b3c646f89237574ac566ed89c50 commit

PHPBB3-13234
This commit is contained in:
Nils Adermann 2014-10-27 19:57:53 -07:00
parent e1277c26ca
commit 3472b6c5bc
1 changed files with 38 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
phpBB/phpbb/session.php
View File

@ -577,26 +577,15 @@ class session
}
}
if ($user_id !== false && !sizeof($this->data))
{
$this->cookie_data['k'] = '';
$this->cookie_data['u'] = $user_id;
$sql = 'SELECT *
FROM ' . USERS_TABLE . '
WHERE user_id = ' . (int) $this->cookie_data['u'] . '
AND user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ')';
$result = $db->sql_query($sql);
$this->data = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
$bot = false;
}
else if (!$bot)
{
$provider_collection = $phpbb_container->get('auth.provider_collection');
$provider = $provider_collection->get_provider();
$this->data = $provider->autologin();
if ($user_id !== false && sizeof($this->data) && $this->data['user_id'] != $user_id)
{
$this->data = array();
}
if (sizeof($this->data))
{
$this->cookie_data['k'] = '';
@ -614,11 +603,31 @@ class session
AND k.user_id = u.user_id
AND k.key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'";
$result = $db->sql_query($sql);
$user_data = $db->sql_fetchrow($result);
if ($user_id === false || $user_id == $user_data['user_id'])
{
$this->data = $user_data;
$bot = false;
}
$db->sql_freeresult($result);
}
if ($user_id !== false && !sizeof($this->data))
{
$this->cookie_data['k'] = '';
$this->cookie_data['u'] = $user_id;
$sql = 'SELECT *
FROM ' . USERS_TABLE . '
WHERE user_id = ' . (int) $this->cookie_data['u'] . '
AND user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ')';
$result = $db->sql_query($sql);
$this->data = $db->sql_fetchrow($result);
$db->sql_freeresult($result);
$bot = false;
}
}
// Bot user, if they have a SID in the Request URI we need to get rid of it
// otherwise they'll index this page with the SID, duplicate content oh my!
@ -926,7 +935,7 @@ class session
}
// Reset the data array
$this->data = array();
$this->data = false;
$sql = 'SELECT *
FROM ' . USERS_TABLE . '