From db5f8dc6ee1f33226abdfb6468824dfa3e0b0916 Mon Sep 17 00:00:00 2001
From: Retro_Guy <retro.guy@rocksolidbbs.com>
Date: Tue, 30 Jul 2024 06:31:32 -0700
Subject: [PATCH] Make sure to not write anonymous username to cookies when
 used to post.

---
 Rocksolid_Light/rocksolid/article-flat.php |  8 ++++++--
 Rocksolid_Light/rocksolid/newsportal.php   |  7 ++++++-
 Rocksolid_Light/rocksolid/post.php         | 10 ++++++----
 Rocksolid_Light/spoolnews/user.php         |  2 +-
 4 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/Rocksolid_Light/rocksolid/article-flat.php b/Rocksolid_Light/rocksolid/article-flat.php
index 337fee8..4d729f0 100644
--- a/Rocksolid_Light/rocksolid/article-flat.php
+++ b/Rocksolid_Light/rocksolid/article-flat.php
@@ -12,8 +12,12 @@ if (! isset($_SESSION['last_access']) || (time() - $_SESSION['last_access']) > 6
 
 $logfile = $logdir . '/newsportal.log';
 if (isset($_COOKIE['mail_name'])) {
-    if ($userdata = get_user_mail_auth_data($_COOKIE['mail_name'])) {
-        $userfile = $spooldir . '/' . strtolower($_COOKIE['mail_name']) . '-articleviews.dat';
+    $cookie_mail_name = trim(strtolower($_COOKIE['mail_name']));
+    if($_COOKIE['mail_name'] == $CONFIG['anonusername']) {
+        unset($cookie_mail_name);
+    }
+    if ($userdata = get_user_mail_auth_data($cookie_mail_name)) {
+        $userfile = $spooldir . '/' . strtolower($cookie_mail_name) . '-articleviews.dat';
     }
 }
 // register parameters
diff --git a/Rocksolid_Light/rocksolid/newsportal.php b/Rocksolid_Light/rocksolid/newsportal.php
index 7358e6b..db436d8 100644
--- a/Rocksolid_Light/rocksolid/newsportal.php
+++ b/Rocksolid_Light/rocksolid/newsportal.php
@@ -1328,10 +1328,14 @@ function verify_logged_in($name) {
 
 function set_user_logged_in_cookies($name, $keys) {
 
-    global $debug_log;
+    global $debug_log, $CONFIG;
     $name = trim($name);
     $name_lc = strtolower($name);
 
+    if($name == $CONFIG['anonusername']) {
+        return false;
+    }
+
     if( !get_user_config($name_lc, 'encryptionkey')) {
         $key = openssl_random_pseudo_bytes(44);
         set_user_config($name_lc, 'encryptionkey', base64_encode($key));
@@ -1356,6 +1360,7 @@ function set_user_logged_in_cookies($name, $keys) {
      document.cookie = "pkey="+pkey+"; max-age="+name_expire+"; path=/";
   </script>
 <?php
+    return true;
 }
 
 function check_bbs_auth($username, $password, $sockip = null)
diff --git a/Rocksolid_Light/rocksolid/post.php b/Rocksolid_Light/rocksolid/post.php
index f7d060b..80d8840 100644
--- a/Rocksolid_Light/rocksolid/post.php
+++ b/Rocksolid_Light/rocksolid/post.php
@@ -222,13 +222,15 @@ if ($type == "post") {
             } else {
                 $_SESSION['pass'] = true;
                 $logged_in = true;
-                set_user_logged_in_cookies($name, $keys);
-                file_put_contents($auth_log, "\n" . logging_prefix() . " SET AUTH COOKIES for: " . $name, FILE_APPEND);
+                if (set_user_logged_in_cookies($name, $keys)) {
+                    file_put_contents($auth_log, "\n" . logging_prefix() . " SET AUTH COOKIES for: " . $name, FILE_APPEND);
+                }
             }
         } else {
             // Update cookie times to stay logged in
-            set_user_logged_in_cookies($name, $keys);
-            file_put_contents($auth_log, "\n" . logging_prefix() . " UPDATED AUTH COOKIES for: " . $name, FILE_APPEND);
+            if (set_user_logged_in_cookies($name, $keys)) {
+                file_put_contents($auth_log, "\n" . logging_prefix() . " UPDATED AUTH COOKIES for: " . $name, FILE_APPEND);
+            }
         }
     }
     // Check that user has not been recently banned
diff --git a/Rocksolid_Light/spoolnews/user.php b/Rocksolid_Light/spoolnews/user.php
index 75294d8..57140b5 100644
--- a/Rocksolid_Light/spoolnews/user.php
+++ b/Rocksolid_Light/spoolnews/user.php
@@ -85,7 +85,7 @@ if(!$logged_in) {
             if ($ip_pass) {
                 $_SESSION['pass'] = true;
             }
-            set_user_logged_in_cookies($name, $keys);
+            set_user_logged_in_cookies(trim($_POST['username']), $keys);
             $logged_in = true;
         } else {
             echo 'Authentication Required';