[Web] Important: Do not allow API actions with r/o session key, THANKS TO Samuel Oosterholt

2021-05-20 15:51:52 +02:00 · 2021-05-20 15:51:52 +02:00 · 99ab945ae2
parent a885dab0d3
commit 99ab945ae2
2 changed files with 8 additions and 1 deletions
--- a/data/web/inc/footer.inc.php
+++ b/data/web/inc/footer.inc.php
@ -304,5 +304,12 @@ $(document).ready(function() {
 </body>
 </html>
 <?php
+if (isset($_SESSION['mailcow_cc_api'])) {
+  session_regenerate_id(true);
+  session_unset();
+  session_destroy();
+  session_write_close();
+  header("Location: /");
+}
 $stmt = null;
 $pdo = null;
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@ -93,7 +93,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 		fido2(array("action" => "unset_fido2_key", "post_data" => $_POST));
 	}
 }
-if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin") {
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin" && !isset($_SESSION['mailcow_cc_api'])) {
  // TODO: Move file upload to API?
 	if (isset($_POST["submit_main_logo"])) {
    if ($_FILES['main_logo']['error'] == 0) {