mirror of
https://github.com/phpbb/phpbb.git
synced 2025-06-08 04:18:52 +00:00
636fc7fad7
After the introduction of add_form_key() and check_form_key() calls to login_box() in phpBB 3.2.6 and later, if a banned user attempts to login, they receive a "The submitted form was invalid. Try submitting again." Instead of the message indicating that they are banned, and why. This is happening because check_ban() actually calls into login_box() recursively, but after the $user->session_id has been switched to a new session ID for the logging-on user. Therefore, now that check_form_key() has been introduced to login_box(), it is impossible for check_form_key() to succeed during this recursive call. Fix is to make login_box()'s use of check_form_key() conditional on whether IN_CHECK_BAN is defined, so that the recursive call does not attempt to re-validate the form_key again. Note the form_key has already been successfully verified by the original call into login_box(), prior to calling into check_ban() and attempting to recursively call login_box(). So the protection of why check_form_key() was added is still intact with this change. PHPBB3-16066 |
||
|---|---|---|
| .. | ||
| acp | ||
| diff | ||
| hooks | ||
| mcp | ||
| questionnaire | ||
| ucp | ||
| utf | ||
| .htaccess | ||
| bbcode.php | ||
| compatibility_globals.php | ||
| constants.php | ||
| functions.php | ||
| functions_acp.php | ||
| functions_admin.php | ||
| functions_compatibility.php | ||
| functions_compress.php | ||
| functions_content.php | ||
| functions_convert.php | ||
| functions_database_helper.php | ||
| functions_display.php | ||
| functions_download.php | ||
| functions_jabber.php | ||
| functions_mcp.php | ||
| functions_messenger.php | ||
| functions_module.php | ||
| functions_posting.php | ||
| functions_privmsgs.php | ||
| functions_transfer.php | ||
| functions_user.php | ||
| index.htm | ||
| message_parser.php | ||
| sphinxapi.php | ||
| startup.php | ||