From 7410bbdb2e82bf5f1d69c199b1c3d7074954d5f3 Mon Sep 17 00:00:00 2001
From: Retro_Guy <retro.guy@rocksolidbbs.com>
Date: Wed, 12 Jan 2022 23:44:35 +0000
Subject: [PATCH] Add key in cookies to verify non-logged in user

---
 Rocksolid_Light/rocksolid/newsportal.php | 18 +++++++++++-------
 Rocksolid_Light/spoolnews/user.php       |  4 ++++
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/Rocksolid_Light/rocksolid/newsportal.php b/Rocksolid_Light/rocksolid/newsportal.php
index e830b1b..be05f06 100644
--- a/Rocksolid_Light/rocksolid/newsportal.php
+++ b/Rocksolid_Light/rocksolid/newsportal.php
@@ -571,6 +571,16 @@ function groups_show($gruppen) {
   echo 'Latest</td><td style="text-align: center;">Newsgroup</td><td width="8%" class="np_thread_head">Messages</td><td width="20%" class="np_thread_head" >Last Message</td></tr>';
   $subs =  array();
   $nonsubs = array();
+  $user = null;
+  $pkey_config = get_user_config(strtolower($_COOKIE['mail_name']), "pkey");
+  $pkey_cookie = $_COOKIE['pkey'];
+  if(isset($_COOKIE['mail_name'])) {
+    if($pkey_config == $pkey_cookie) {
+      $user = strtolower($_COOKIE['mail_name']);
+      $userfile=$spooldir.'/'.$user.'-articleviews.dat';
+      $userdata = unserialize(file_get_contents($userfile));
+    }
+  }
   for($i = 0 ; $i < $c ; $i++) {
     unset($groupdisplay);
     $g = $gruppen[$i];
@@ -582,12 +592,6 @@ function groups_show($gruppen) {
       if($acttype!="group") {
         $acttype="group";
       }
-      $user = null;
-      if(isset($_COOKIE['mail_name'])) {
-        $user = strtolower($_COOKIE['mail_name']);
-        $userfile=$spooldir.'/'.$user.'-articleviews.dat';
-        $userdata = unserialize(file_get_contents($userfile));
-      }
 /* Display group name and description */
       if(isset($userdata[$g->name])) {
         $lineclass="np_thread_line2";
@@ -1208,7 +1212,7 @@ function get_user_config($username,$request) {
         $userdataline=$buffer;
         fclose($userFileHandle);
         $userdatafound = explode(':',$userdataline);
-        return $userdatafound[1];
+        return trim($userdatafound[1]);
       }
     }
     fclose($userFileHandle);
diff --git a/Rocksolid_Light/spoolnews/user.php b/Rocksolid_Light/spoolnews/user.php
index 4ef9f1d..70ff998 100644
--- a/Rocksolid_Light/spoolnews/user.php
+++ b/Rocksolid_Light/spoolnews/user.php
@@ -40,6 +40,8 @@ include "head.inc";
   } else {
     if(check_bbs_auth($_POST['username'], $_POST['password'])) {
       $authkey = password_hash($_POST['username'].$keys[0].get_user_config($_POST['username'],'encryptionkey'), PASSWORD_DEFAULT);
+      $pkey = hash('crc32', get_user_config($_POST['username'],'encryptionkey'));
+      set_user_config(strtolower($_POST['username']), "pkey", $pkey);
 ?>
       <script type="text/javascript">
        if (navigator.cookieEnabled)
@@ -47,8 +49,10 @@ include "head.inc";
          var savename = "<?php echo stripslashes($name); ?>";
 	 var auth_expire = "<?php echo $auth_expire; ?>";
 	 var name_expire = "7776000";
+	 var pkey = "<?php echo $pkey; ?>";
          document.cookie = "mail_auth="+authcookie+"; max-age="+auth_expire+"; path=/";
          document.cookie = "mail_name="+savename+"; max-age="+name_expire+"; path=/";
+         document.cookie = "pkey="+pkey+"; max-age="+name_expire+"; path=/";
       </script>
 <?php
       $logged_in = true;