do not allow url parameter 'action' if calling Login controller

2024-11-26 15:32:13 +00:00 · 2024-01-10 20:37:49 +01:00 · 2024-01-10 20:37:49 +01:00 · 255fb59416
commit 255fb59416
parent 53bca0e294
2 changed files with 15 additions and 0 deletions
--- a/op/op.Login.php
+++ b/op/op.Login.php
@ -82,6 +82,7 @@ else if (isset($_GET["referuri"]) && strlen($_GET["referuri"])>0) {

 add_log_line();

+$controller->setParam('action', 'run'); // Force action run to be called, prevents overriding action with url parameter
 $controller->setParam('login', $login);
 $controller->setParam('pwd', $pwd);
 $controller->setParam('source', 'web');
@ -98,6 +99,12 @@ if(!$controller()) {
 }

 $user = $controller->getUser();
+if(!$user) {
+	$session = null;
+	add_log_line("login failed", PEAR_LOG_ERR);
+	_printMessage(getMLText('login_error_text'), getMLText('login_error_text')."\n");
+	exit;
+}

 if (isset($referuri) && strlen($referuri)>0) {
 	header("Location: " . getBaseUrl() . $referuri);
--- a/webdav/webdav.php
+++ b/webdav/webdav.php
@ -173,6 +173,7 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server

 		$controller = Controller::factory('Login', array('dms'=>$this->dms));
 		$controller->setParam('authenticator', $this->authenticator);
+		$controller->setParam('action', 'run');
 		$controller->setParam('login', $user);
 		$controller->setParam('pwd', $pass);
 		$controller->setParam('lang', $this->settings->_language);
@ -190,6 +191,13 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
 			$this->logger->log('check_auth: type='.$type.', user='.$user.' authenticated', PEAR_LOG_INFO);

 		$this->user = $controller->getUser();
+		if(!$this->user) {
+			if($this->logger) {
+				$this->logger->log($controller->getErrorMsg(), PEAR_LOG_NOTICE);
+				$this->logger->log('check_auth: error authenicating user '.$user, PEAR_LOG_NOTICE);
+			}
+			return false;
+		}

 		return true;
 	} /* }}} */