www/adiumxtras.com 60:aca97ab9fd90: Fix the loggedIn check, don'...

commits at adium.im commits at adium.im
Fri Feb 27 13:26:18 UTC 2015 

details:	http://hg.adium.im/www/adiumxtras.com/rev/aca97ab9fd90
revision:	60:aca97ab9fd90
branch:		adiumxtras.com
author:		Thijs Alkemade <me at thijsalkema.de>
date:		Fri Feb 27 14:26:11 2015 +0100

Fix the loggedIn check, don't compute the HMAC for users without a cookie.

diffs (52 lines):

diff -r cb77e450f6d7 -r aca97ab9fd90 include.php
--- a/include.php	Fri Feb 27 14:16:33 2015 +0100
+++ b/include.php	Fri Feb 27 14:26:11 2015 +0100
@@ -66,7 +66,7 @@
 		$this->compile_dir = '/home/adiumx/public_html/smarty/templates_c';
 		$this->cache_dir = '/home/adiumx/public_html/smarty/cache';
 		$this->config_dir = '/home/adiumx/public_html/smarty/config';
-		$userID = validUser($_COOKIE['xtras_user'], $_COOKIE['xtras_pass']);
+		$userID = currentUID();
 		if ($userID) {
 			$this->assign("loggedIn", 1);
 			$this->assign("loggedIn_username", $_COOKIE['xtras_user']);
@@ -122,25 +122,24 @@
 function currentUID() {
 	global $sql, $CACHE;
 	if (!isset($CACHE['currentUID'])) {
-		list ($user, $token, $mac) = explode(':', $_COOKIE['xtras_pass']);
+		if (isset($_COOKIE['xtras_pass'])) {
+			list ($user, $token, $mac) = explode(':', $_COOKIE['xtras_pass'], 3);
 
-		if ($mac !== hash_hmac('sha256', $user . ':' . $token, COOKIE_SECRET_KEY)) {
-			error_log("Hash did not match");
-			return false;
-		}
+			if ($mac !== hash_hmac('sha256', $user . ':' . $token, COOKIE_SECRET_KEY)) {
+				return false;
+			}
 
-		if (base64_decode($user) !== $_COOKIE['xtras_user']) {
-			error_log("User did not match");
-			return false;
-		}
+			if (base64_decode($user) !== $_COOKIE['xtras_user']) {
+				return false;
+			}
 
-		$sql->query("SELECT user_id FROM users WHERE username='%s' AND status='Active'", $_COOKIE['xtras_user']);
+			$sql->query("SELECT user_id FROM users WHERE username='%s' AND status='Active'", $_COOKIE['xtras_user']);
 
-		if ($sql->num_rows() === 0) {
-			error_log("user_id not found");
-			return false;
-		} else {
-			$CACHE['currentUID'] = $sql->fetch_row_single();
+			if ($sql->num_rows() === 0) {
+				return false;
+			} else {
+				$CACHE['currentUID'] = $sql->fetch_row_single();
+			}
 		}
 	}
 	return $CACHE['currentUID'];

More information about the commits mailing list