mirror of
https://github.com/phpbb/phpbb.git
synced 2025-06-10 13:28:55 +00:00
636fc7fad7
After the introduction of add_form_key() and check_form_key() calls to login_box() in phpBB 3.2.6 and later, if a banned user attempts to login, they receive a "The submitted form was invalid. Try submitting again." Instead of the message indicating that they are banned, and why. This is happening because check_ban() actually calls into login_box() recursively, but after the $user->session_id has been switched to a new session ID for the logging-on user. Therefore, now that check_form_key() has been introduced to login_box(), it is impossible for check_form_key() to succeed during this recursive call. Fix is to make login_box()'s use of check_form_key() conditional on whether IN_CHECK_BAN is defined, so that the recursive call does not attempt to re-validate the form_key again. Note the form_key has already been successfully verified by the original call into login_box(), prior to calling into check_ban() and attempting to recursively call login_box(). So the protection of why check_form_key() was added is still intact with this change. PHPBB3-16066 |
||
|---|---|---|
| .. | ||
| adm | ||
| assets | ||
| bin | ||
| cache | ||
| config | ||
| develop | ||
| docs | ||
| download | ||
| ext | ||
| files | ||
| images | ||
| includes | ||
| install | ||
| language | ||
| phpbb | ||
| store | ||
| styles | ||
| .htaccess | ||
| app.php | ||
| common.php | ||
| composer.json | ||
| composer.lock | ||
| cron.php | ||
| faq.php | ||
| feed.php | ||
| index.php | ||
| mcp.php | ||
| memberlist.php | ||
| posting.php | ||
| report.php | ||
| search.php | ||
| ucp.php | ||
| viewforum.php | ||
| viewonline.php | ||
| viewtopic.php | ||
| web.config | ||