Project

General

Profile

Download (4.63 KB)

Bug #21940 » bug.diff

Administrator Admin, 2010-01-11 12:28

View differences:

typo3_src.new/t3lib/class.t3lib_beuserauth.php 2010-01-11 12:24:18.000000000 +0100
}
}
/**
* VeriCode returns 10 first chars of a md5 hash of the session cookie AND the encryptionKey from TYPO3_CONF_VARS.
* This code is used as an alternative verification when the JavaScript interface executes cmd's to tce_db.php from eg. MSIE 5.0 because the proper referer is not passed with this browser...
*
* @return string
*/
function veriCode() {
return substr(md5($this->id.$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']),0,10);
}
/**
* The session_id is used to find user in the database.
* Two tables are joined: The session-table with user_id of the session and the usertable with its primary key
* if the client is flash (e.g. from a flash application inside TYPO3 that does a server request)
* then don't evaluate with the hashLockClause, as the client/browser is included in this hash
* and thus, the flash request would be rejected
*
* @return DB result object or false on error
* @access private
*/
protected function fetchUserSessionFromDB() {
if ($GLOBALS['CLIENT']['BROWSER'] == 'flash') {
// if on the flash client, the veri code is valid, then the user session is fetched
// from the DB without the hashLock clause
if (t3lib_div::_GP('vC') == $this->veriCode()) {
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
'*',
$this->session_table.','.$this->user_table,
$this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
'.$this->ipLockClause().'
'.$this->user_where_clause()
);
} else {
$dbres = false;
}
} else {
$dbres = parent::fetchUserSessionFromDB();
}
return $dbres;
}
}
typo3_src.new/t3lib/class.t3lib_userauth.php 2010-01-11 12:25:38.000000000 +0100
/**
* The session_id is used to find user in the database.
* Two tables are joined: The session-table with user_id of the session and the usertable with its primary key
* if the client is flash (e.g. from a flash application inside TYPO3 that does a server request)
* then don't evaluate with the hashLockClause, as the client/browser is included in this hash
* and thus, the flash request would be rejected
*
* @return DB result object or false on error
* @access private
*/
protected function fetchUserSessionFromDB() {
if ($GLOBALS['CLIENT']['BROWSER'] == 'flash') {
// if on the flash client, the veri code is valid, then the user session is fetched
// from the DB without the hashLock clause
if (t3lib_div::_GP('vC') == $this->veriCode()) {
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
'*',
$this->session_table.','.$this->user_table,
$this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
'.$this->ipLockClause().'
'.$this->user_where_clause()
);
} else {
$dbres = false;
}
} else {
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
'*',
$this->session_table.','.$this->user_table,
......
'.$this->hashLockClause().'
'.$this->user_where_clause()
);
}
return $dbres;
}
......
}
/**
* VeriCode returns 10 first chars of a md5 hash of the session cookie AND the encryptionKey from TYPO3_CONF_VARS.
* This code is used as an alternative verification when the JavaScript interface executes cmd's to tce_db.php from eg. MSIE 5.0 because the proper referer is not passed with this browser...
*
* @return string
*/
function veriCode() {
return substr(md5($this->id.$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']),0,10);
}
/**
* This returns the where-clause needed to lock a user to a hash integer
*
* @return string
(1-1/2)