Bug #19299 » bug.diff
typo3_src.new/t3lib/class.t3lib_beuserauth.php 2010-01-11 12:24:18.000000000 +0100 | ||
---|---|---|
}
|
||
}
|
||
/**
|
||
* VeriCode returns 10 first chars of a md5 hash of the session cookie AND the encryptionKey from TYPO3_CONF_VARS.
|
||
* This code is used as an alternative verification when the JavaScript interface executes cmd's to tce_db.php from eg. MSIE 5.0 because the proper referer is not passed with this browser...
|
||
*
|
||
* @return string
|
||
*/
|
||
function veriCode() {
|
||
return substr(md5($this->id.$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']),0,10);
|
||
}
|
||
/**
|
||
* The session_id is used to find user in the database.
|
||
* Two tables are joined: The session-table with user_id of the session and the usertable with its primary key
|
||
* if the client is flash (e.g. from a flash application inside TYPO3 that does a server request)
|
||
* then don't evaluate with the hashLockClause, as the client/browser is included in this hash
|
||
* and thus, the flash request would be rejected
|
||
*
|
||
* @return DB result object or false on error
|
||
* @access private
|
||
*/
|
||
protected function fetchUserSessionFromDB() {
|
||
if ($GLOBALS['CLIENT']['BROWSER'] == 'flash') {
|
||
// if on the flash client, the veri code is valid, then the user session is fetched
|
||
// from the DB without the hashLock clause
|
||
if (t3lib_div::_GP('vC') == $this->veriCode()) {
|
||
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
|
||
'*',
|
||
$this->session_table.','.$this->user_table,
|
||
$this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
|
||
AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
|
||
AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
|
||
'.$this->ipLockClause().'
|
||
'.$this->user_where_clause()
|
||
);
|
||
} else {
|
||
$dbres = false;
|
||
}
|
||
} else {
|
||
$dbres = parent::fetchUserSessionFromDB();
|
||
}
|
||
return $dbres;
|
||
}
|
||
}
|
||
typo3_src.new/t3lib/class.t3lib_userauth.php 2010-01-11 12:25:38.000000000 +0100 | ||
---|---|---|
/**
|
||
* The session_id is used to find user in the database.
|
||
* Two tables are joined: The session-table with user_id of the session and the usertable with its primary key
|
||
* if the client is flash (e.g. from a flash application inside TYPO3 that does a server request)
|
||
* then don't evaluate with the hashLockClause, as the client/browser is included in this hash
|
||
* and thus, the flash request would be rejected
|
||
*
|
||
* @return DB result object or false on error
|
||
* @access private
|
||
*/
|
||
protected function fetchUserSessionFromDB() {
|
||
|
||
if ($GLOBALS['CLIENT']['BROWSER'] == 'flash') {
|
||
// if on the flash client, the veri code is valid, then the user session is fetched
|
||
// from the DB without the hashLock clause
|
||
if (t3lib_div::_GP('vC') == $this->veriCode()) {
|
||
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
|
||
'*',
|
||
$this->session_table.','.$this->user_table,
|
||
$this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
|
||
AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
|
||
AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
|
||
'.$this->ipLockClause().'
|
||
'.$this->user_where_clause()
|
||
);
|
||
} else {
|
||
$dbres = false;
|
||
}
|
||
} else {
|
||
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
|
||
'*',
|
||
$this->session_table.','.$this->user_table,
|
||
... | ... | |
'.$this->hashLockClause().'
|
||
'.$this->user_where_clause()
|
||
);
|
||
}
|
||
return $dbres;
|
||
}
|
||
... | ... | |
}
|
||
/**
|
||
* VeriCode returns 10 first chars of a md5 hash of the session cookie AND the encryptionKey from TYPO3_CONF_VARS.
|
||
* This code is used as an alternative verification when the JavaScript interface executes cmd's to tce_db.php from eg. MSIE 5.0 because the proper referer is not passed with this browser...
|
||
*
|
||
* @return string
|
||
*/
|
||
function veriCode() {
|
||
return substr(md5($this->id.$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']),0,10);
|
||
}
|
||
|
||
/**
|
||
* This returns the where-clause needed to lock a user to a hash integer
|
||
*
|
||
* @return string
|