Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

libs/web: Add an additional sanity check to Session IDs

Browse source
This commit is contained in:
Steven Barth 2008-08-11 09:59:44 +00:00
parent 4bb4304974
commit 673b4e1698
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
libs/web/luasrc/dispatcher.lua
View file

@ -172,7 +172,8 @@ function dispatch(request)
local authen = authenticator[track.sysauth_authenticator] local authen = authenticator[track.sysauth_authenticator]
local def = (type(track.sysauth) == "string") and track.sysauth local def = (type(track.sysauth) == "string") and track.sysauth
local accs = def and {track.sysauth} or track.sysauth local accs = def and {track.sysauth} or track.sysauth
local user = luci.sauth.read(luci.http.getcookie("sysauth")) local sess = luci.http.getcookie("sysauth"):match("^[A-F0-9]+$")
local user = luci.sauth.read(sess)
if not luci.util.contains(accs, user) then if not luci.util.contains(accs, user) then
if authen then if authen then