[Web] Important: Do not allow API actions with r/o session key, THANKS TO Samuel Oosterholt

master
andryyy 2021-05-20 15:51:52 +02:00
parent a885dab0d3
commit 99ab945ae2
No known key found for this signature in database
GPG Key ID: 8EC34FF2794E25EF
2 changed files with 8 additions and 1 deletions

View File

@ -304,5 +304,12 @@ $(document).ready(function() {
</body> </body>
</html> </html>
<?php <?php
if (isset($_SESSION['mailcow_cc_api'])) {
session_regenerate_id(true);
session_unset();
session_destroy();
session_write_close();
header("Location: /");
}
$stmt = null; $stmt = null;
$pdo = null; $pdo = null;

View File

@ -93,7 +93,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
fido2(array("action" => "unset_fido2_key", "post_data" => $_POST)); fido2(array("action" => "unset_fido2_key", "post_data" => $_POST));
} }
} }
if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin") { if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin" && !isset($_SESSION['mailcow_cc_api'])) {
// TODO: Move file upload to API? // TODO: Move file upload to API?
if (isset($_POST["submit_main_logo"])) { if (isset($_POST["submit_main_logo"])) {
if ($_FILES['main_logo']['error'] == 0) { if ($_FILES['main_logo']['error'] == 0) {