Defend against empty session names
If misconfiguration has resulted in an empty session name, treat the session as having not signed in.master
parent
31c89db246
commit
26ded17653
|
@ -146,7 +146,7 @@ sub needsignin ($$) {
|
||||||
my $q=shift;
|
my $q=shift;
|
||||||
my $session=shift;
|
my $session=shift;
|
||||||
|
|
||||||
if (! defined $session->param("name") ||
|
if (! length $session->param("name") ||
|
||||||
! userinfo_get($session->param("name"), "regdate")) {
|
! userinfo_get($session->param("name"), "regdate")) {
|
||||||
$session->param(postsignin => $q->query_string);
|
$session->param(postsignin => $q->query_string);
|
||||||
cgi_signin($q, $session);
|
cgi_signin($q, $session);
|
||||||
|
@ -391,7 +391,7 @@ sub checksessionexpiry ($$) {
|
||||||
|
|
||||||
if (defined $session->param("name")) {
|
if (defined $session->param("name")) {
|
||||||
my $sid=$q->param('sid');
|
my $sid=$q->param('sid');
|
||||||
if (! defined $sid || $sid ne $session->id) {
|
if (! defined $sid || $sid ne $session->id || ! length $session->param("name")) {
|
||||||
error(gettext("Your login session has expired."));
|
error(gettext("Your login session has expired."));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -444,11 +444,11 @@ sub cgi (;$$) {
|
||||||
}
|
}
|
||||||
|
|
||||||
# Auth hooks can sign a user in.
|
# Auth hooks can sign a user in.
|
||||||
if ($do ne 'signin' && ! defined $session->param("name")) {
|
if ($do ne 'signin' && ! length $session->param("name")) {
|
||||||
run_hooks(auth => sub {
|
run_hooks(auth => sub {
|
||||||
shift->($q, $session)
|
shift->($q, $session)
|
||||||
});
|
});
|
||||||
if (defined $session->param("name")) {
|
if (length $session->param("name")) {
|
||||||
# Make sure whatever user was authed is in the
|
# Make sure whatever user was authed is in the
|
||||||
# userinfo db.
|
# userinfo db.
|
||||||
if (! userinfo_get($session->param("name"), "regdate")) {
|
if (! userinfo_get($session->param("name"), "regdate")) {
|
||||||
|
|
Loading…
Reference in New Issue