From 64d97d0787a63b3c646f89237574ac566ed89c50 Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Mon, 27 Oct 2014 19:55:56 -0700 Subject: [PATCH 1/2] [ticket/13234] Never allow autologin/remember me to modify the userid This prevents admin relogin with forced user id from overwriting remember me cookies PHPBB3-13234 --- phpBB/includes/session.php | 71 +++++++++++++++++++++----------------- 1 file changed, 40 insertions(+), 31 deletions(-) diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 4c13a4f558..fcc6745021 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -553,6 +553,45 @@ class session $method = basename(trim($config['auth_method'])); include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx); + $method = 'autologin_' . $method; + if (function_exists($method)) + { + $user_data = $method(); + + if ($user_id === false || (isset($user_data['user_id']) && $user_id = $user_data['user_id'])) + { + $this->data = $user_data; + } + + if (sizeof($this->data)) + { + $this->cookie_data['k'] = ''; + $this->cookie_data['u'] = $this->data['user_id']; + } + } + + // If we're presented with an autologin key we'll join against it. + // Else if we've been passed a user_id we'll grab data based on that + if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'] && !sizeof($this->data)) + { + $sql = 'SELECT u.* + FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k + WHERE u.user_id = ' . (int) $this->cookie_data['u'] . ' + AND u.user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ") + AND k.user_id = u.user_id + AND k.key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'"; + $result = $db->sql_query($sql); + $user_data = $db->sql_fetchrow($result); + + if ($user_id === false || (isset($user_data['user_id']) && $user_id = $user_data['user_id'])) + { + $this->data = $user_data; + $bot = false; + } + + $db->sql_freeresult($result); + } + if ($user_id !== false && !sizeof($this->data)) { $this->cookie_data['k'] = ''; @@ -567,36 +606,6 @@ class session $db->sql_freeresult($result); $bot = false; } - else if (!$bot) - { - $method = 'autologin_' . $method; - if (function_exists($method)) - { - $this->data = $method(); - - if (sizeof($this->data)) - { - $this->cookie_data['k'] = ''; - $this->cookie_data['u'] = $this->data['user_id']; - } - } - - // If we're presented with an autologin key we'll join against it. - // Else if we've been passed a user_id we'll grab data based on that - if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'] && !sizeof($this->data)) - { - $sql = 'SELECT u.* - FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k - WHERE u.user_id = ' . (int) $this->cookie_data['u'] . ' - AND u.user_type IN (' . USER_NORMAL . ', ' . USER_FOUNDER . ") - AND k.user_id = u.user_id - AND k.key_id = '" . $db->sql_escape(md5($this->cookie_data['k'])) . "'"; - $result = $db->sql_query($sql); - $this->data = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - $bot = false; - } - } // Bot user, if they have a SID in the Request URI we need to get rid of it // otherwise they'll index this page with the SID, duplicate content oh my! @@ -2459,4 +2468,4 @@ class user extends session } } -?> \ No newline at end of file +?> From fcc320e3852215a11b863d0108e16e2be998d5cc Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Tue, 28 Oct 2014 10:14:47 +0100 Subject: [PATCH 2/2] [ticket/13234] Fix conditions and CS PHPBB3-13234 --- phpBB/includes/session.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index fcc6745021..5b2c4f0b0d 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -558,7 +558,7 @@ class session { $user_data = $method(); - if ($user_id === false || (isset($user_data['user_id']) && $user_id = $user_data['user_id'])) + if ($user_id === false || (isset($user_data['user_id']) && $user_id == $user_data['user_id'])) { $this->data = $user_data; } @@ -583,7 +583,7 @@ class session $result = $db->sql_query($sql); $user_data = $db->sql_fetchrow($result); - if ($user_id === false || (isset($user_data['user_id']) && $user_id = $user_data['user_id'])) + if ($user_id === false || (isset($user_data['user_id']) && $user_id == $user_data['user_id'])) { $this->data = $user_data; $bot = false;