novabbs/rocksolid-light
3
0
Fork 1
Code Issues 26 Pull Requests Releases Wiki Activity

Make sure to not write anonymous username to cookies when used to post.

Browse Source
This commit is contained in:
Retro_Guy 2024-07-30 06:31:32 -07:00
parent e9f7e2861e
commit db5f8dc6ee
4 changed files with 19 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Rocksolid_Light/rocksolid/article-flat.php
View File

@ -12,8 +12,12 @@ if (! isset($_SESSION['last_access']) || (time() - $_SESSION['last_access']) > 6
$logfile = $logdir . '/newsportal.log';
if (isset($_COOKIE['mail_name'])) {
if ($userdata = get_user_mail_auth_data($_COOKIE['mail_name'])) {
$userfile = $spooldir . '/' . strtolower($_COOKIE['mail_name']) . '-articleviews.dat';
$cookie_mail_name = trim(strtolower($_COOKIE['mail_name']));
if($_COOKIE['mail_name'] == $CONFIG['anonusername']) {
unset($cookie_mail_name);
}
if ($userdata = get_user_mail_auth_data($cookie_mail_name)) {
$userfile = $spooldir . '/' . strtolower($cookie_mail_name) . '-articleviews.dat';
}
}
// register parameters

7
Rocksolid_Light/rocksolid/newsportal.php
View File

@ -1328,10 +1328,14 @@ function verify_logged_in($name) {
function set_user_logged_in_cookies($name, $keys) {
global $debug_log;
global $debug_log, $CONFIG;
$name = trim($name);
$name_lc = strtolower($name);
if($name == $CONFIG['anonusername']) {
return false;
}
if( !get_user_config($name_lc, 'encryptionkey')) {
$key = openssl_random_pseudo_bytes(44);
set_user_config($name_lc, 'encryptionkey', base64_encode($key));
@ -1356,6 +1360,7 @@ function set_user_logged_in_cookies($name, $keys) {
document.cookie = "pkey="+pkey+"; max-age="+name_expire+"; path=/";
</script>
<?php
return true;
}
function check_bbs_auth($username, $password, $sockip = null)

10
Rocksolid_Light/rocksolid/post.php
View File

@ -222,13 +222,15 @@ if ($type == "post") {
} else {
$_SESSION['pass'] = true;
$logged_in = true;
set_user_logged_in_cookies($name, $keys);
file_put_contents($auth_log, "\n" . logging_prefix() . " SET AUTH COOKIES for: " . $name, FILE_APPEND);
if (set_user_logged_in_cookies($name, $keys)) {
file_put_contents($auth_log, "\n" . logging_prefix() . " SET AUTH COOKIES for: " . $name, FILE_APPEND);
}
}
} else {
// Update cookie times to stay logged in
set_user_logged_in_cookies($name, $keys);
file_put_contents($auth_log, "\n" . logging_prefix() . " UPDATED AUTH COOKIES for: " . $name, FILE_APPEND);
if (set_user_logged_in_cookies($name, $keys)) {
file_put_contents($auth_log, "\n" . logging_prefix() . " UPDATED AUTH COOKIES for: " . $name, FILE_APPEND);
}
}
}
// Check that user has not been recently banned

2
Rocksolid_Light/spoolnews/user.php
View File

@ -85,7 +85,7 @@ if(!$logged_in) {
if ($ip_pass) {
$_SESSION['pass'] = true;
}
set_user_logged_in_cookies($name, $keys);
set_user_logged_in_cookies(trim($_POST['username']), $keys);
$logged_in = true;
} else {
echo 'Authentication Required';