From 636fc7fad7dcb61622f23b36141b87ee13a1090d Mon Sep 17 00:00:00 2001 From: EA117 Date: Sun, 28 Jul 2019 12:25:54 -0500 Subject: [PATCH] [ticket/16066] Fix FORM_INVALID always returned for banned user. After the introduction of add_form_key() and check_form_key() calls to login_box() in phpBB 3.2.6 and later, if a banned user attempts to login, they receive a "The submitted form was invalid. Try submitting again." Instead of the message indicating that they are banned, and why. This is happening because check_ban() actually calls into login_box() recursively, but after the $user->session_id has been switched to a new session ID for the logging-on user. Therefore, now that check_form_key() has been introduced to login_box(), it is impossible for check_form_key() to succeed during this recursive call. Fix is to make login_box()'s use of check_form_key() conditional on whether IN_CHECK_BAN is defined, so that the recursive call does not attempt to re-validate the form_key again. Note the form_key has already been successfully verified by the original call into login_box(), prior to calling into check_ban() and attempting to recursively call login_box(). So the protection of why check_form_key() was added is still intact with this change. PHPBB3-16066 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 5cc6826cb9..7b48ca9333 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2364,7 +2364,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa } // Check form key - if ($password && !check_form_key($form_name)) + if ($password && !defined('IN_CHECK_BAN') && !check_form_key($form_name)) { $result = array( 'status' => false,