use random session key

This commit is contained in:
Roland Gruber 2019-05-23 22:09:05 +02:00
parent 5989df4a43
commit 5a9c4660e1
3 changed files with 24 additions and 11 deletions

View File

@ -1314,7 +1314,7 @@ class accountContainer {
$passwordButton = new htmlButton('accountContainerPassword', _('Set password'));
$passwordButton->setIconClass('passwordButton');
$passwordButton->setOnClick('passwordShowChangeDialog(\'' . _('Set password') . '\', \'' . _('Ok') . '\', \''
. _('Cancel') . '\', \'' . _('Set random password') . '\', \'../misc/ajax.php?function=passwordChange\',\''
. _('Cancel') . '\', \'' . _('Set random password') . '\', \'../misc/ajax.php?function=passwordChange&editKey=' . htmlspecialchars($this->base) . '\',\''
. getSecurityTokenName() . '\',\'' . getSecurityTokenValue() . '\');');
$leftButtonGroup->addElement($passwordButton);
}
@ -1369,7 +1369,7 @@ class accountContainer {
jQuery("#inputForm").validationEngine();
});
</script>';
echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n";
echo "<form id=\"inputForm\" enctype=\"multipart/form-data\" action=\"edit.php?editKey=" . htmlspecialchars($this->base) . "\" method=\"post\" onSubmit=\"saveScrollPosition('inputForm')\" autocomplete=\"off\">\n";
echo '<input type="hidden" name="' . getSecurityTokenName() . '" value="' . getSecurityTokenValue() . '">';
}

View File

@ -57,6 +57,14 @@ if (!isLoggedIn()) {
// Set correct language, codepages, ....
setlanguage();
$sessionAccountPrefix = 'editContainer';
if (isset($_GET['editKey'])) {
$sessionKey = htmlspecialchars($_GET['editKey']);
}
else {
$sessionKey = $sessionAccountPrefix . (new \DateTime(null, getTimeZone()))->getTimestamp() . getRandomNumber();
}
$typeManager = new LAM\TYPES\TypeManager();
//load account
if (isset($_GET['DN'])) {
@ -80,8 +88,8 @@ if (isset($_GET['DN'])) {
logNewMessage(LOG_ERR, 'User tried to access entry of type ' . $type->getId() . ' outside suffix ' . $suffix);
die();
}
$_SESSION['account'] = new accountContainer($type, 'account');
$result = $_SESSION['account']->load_account($DN);
$_SESSION[$sessionKey] = new accountContainer($type, $sessionKey);
$result = $_SESSION[$sessionKey]->load_account($DN);
if (sizeof($result) > 0) {
include __DIR__ . '/../../lib/adminHeader.inc';
foreach ($result as $message) {
@ -92,7 +100,7 @@ if (isset($_GET['DN'])) {
}
}
// new account
else if (count($_POST) == 0) {
elseif (empty($_POST)) {
$type = $typeManager->getConfiguredType($_GET['type']);
if ($type->isHidden()) {
logNewMessage(LOG_ERR, 'User tried to access hidden account type: ' . $type->getId());
@ -102,11 +110,11 @@ else if (count($_POST) == 0) {
logNewMessage(LOG_ERR, 'User tried to create entry of forbidden account type: ' . $type->getId());
die();
}
$_SESSION['account'] = new accountContainer($type, 'account');
$_SESSION['account']->new_account();
$_SESSION[$sessionKey] = new accountContainer($type, $sessionKey);
$_SESSION[$sessionKey]->new_account();
}
// show account page
$_SESSION['account']->continue_main();
$_SESSION[$sessionKey]->continue_main();
?>

View File

@ -75,8 +75,12 @@ class Ajax {
if (isset($_GET['module']) && isset($_GET['scope']) && in_array($_GET['module'], getAvailableModules($_GET['scope']))) {
enforceUserIsLoggedIn();
if (isset($_GET['useContainer']) && ($_GET['useContainer'] == '1')) {
if (!isset($_SESSION['account'])) die();
$module = $_SESSION['account']->getAccountModule($_GET['module']);
$sessionKey = htmlspecialchars($_GET['editKey']);
if (!isset($_SESSION[$sessionKey])) {
logNewMessage(LOG_ERR, 'Unable to find account container');
die();
}
$module = $_SESSION[$sessionKey]->getAccountModule($_GET['module']);
$module->handleAjaxRequest();
}
else {
@ -157,7 +161,8 @@ class Ajax {
* @param array $input input parameters
*/
private static function managePasswordChange($input) {
$return = $_SESSION['account']->setNewPassword($input);
$sessionKey = htmlspecialchars($_GET['editKey']);
$return = $_SESSION[$sessionKey]->setNewPassword($input);
echo json_encode($return);
}