gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-05-14 05:31:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

do not allow url parameter 'action' if calling Login controller

Browse Source
This commit is contained in:
Uwe Steinmann 2024-01-10 20:37:49 +01:00
parent 53bca0e294
commit 255fb59416
2 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
op/op.Login.php
View File

@ -82,6 +82,7 @@ else if (isset($_GET["referuri"]) && strlen($_GET["referuri"])>0) {
add_log_line(); add_log_line();
$controller->setParam('action', 'run'); // Force action run to be called, prevents overriding action with url parameter
$controller->setParam('login', $login); $controller->setParam('login', $login);
$controller->setParam('pwd', $pwd); $controller->setParam('pwd', $pwd);
$controller->setParam('source', 'web'); $controller->setParam('source', 'web');
@ -98,6 +99,12 @@ if(!$controller()) {
} }
$user = $controller->getUser(); $user = $controller->getUser();
if(!$user) {
$session = null;
add_log_line("login failed", PEAR_LOG_ERR);
_printMessage(getMLText('login_error_text'), getMLText('login_error_text')."\n");
exit;
}
if (isset($referuri) && strlen($referuri)>0) { if (isset($referuri) && strlen($referuri)>0) {
header("Location: " . getBaseUrl() . $referuri); header("Location: " . getBaseUrl() . $referuri);

8
webdav/webdav.php
View File

@ -173,6 +173,7 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
$controller = Controller::factory('Login', array('dms'=>$this->dms)); $controller = Controller::factory('Login', array('dms'=>$this->dms));
$controller->setParam('authenticator', $this->authenticator); $controller->setParam('authenticator', $this->authenticator);
$controller->setParam('action', 'run');
$controller->setParam('login', $user); $controller->setParam('login', $user);
$controller->setParam('pwd', $pass); $controller->setParam('pwd', $pass);
$controller->setParam('lang', $this->settings->_language); $controller->setParam('lang', $this->settings->_language);
@ -190,6 +191,13 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
$this->logger->log('check_auth: type='.$type.', user='.$user.' authenticated', PEAR_LOG_INFO); $this->logger->log('check_auth: type='.$type.', user='.$user.' authenticated', PEAR_LOG_INFO);
$this->user = $controller->getUser(); $this->user = $controller->getUser();
if(!$this->user) {
if($this->logger) {
$this->logger->log($controller->getErrorMsg(), PEAR_LOG_NOTICE);
$this->logger->log('check_auth: error authenicating user '.$user, PEAR_LOG_NOTICE);
}
return false;
}
return true; return true;
} /* }}} */ } /* }}} */