git.shiar.nl
/
minimedit.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
093b58d
)
login/post: ignore ?login override for non user admins
author
Mischa POSLAWSKY
<perl@shiar.org>
Thu, 24 Oct 2019 19:47:33 +0000
(21:47 +0200)
committer
Mischa POSLAWSKY
<perl@shiar.org>
Thu, 24 Oct 2019 19:51:18 +0000
(21:51 +0200)
Confidential data was not secure from people who acquired these urls.
login/post/index.php
patch
|
blob
|
history
diff --git
a/login/post/index.php
b/login/post/index.php
index 2f6a9f93b123a0d89ac4b414852c426349b7d940..e491e357b53c10090a8abef52ca2ab22441dc823 100644
(file)
--- a/
login/post/index.php
+++ b/
login/post/index.php
@@
-1,7
+1,7
@@
<?php
$body = ob_get_clean();
-if ($username = @$_REQUEST['login']) {
+if ($
User->admin('user') and $
username = @$_REQUEST['login']) {
try {
$user = new User("profile/$username");
}