Project

General

Profile

Bug #23438 ยป 15542.diff

Administrator Admin, 2010-08-24 08:30

View differences:

t3lib/class.t3lib_userauth.php (working copy)
if ($this->writeDevLog) t3lib_div::devLog('Fetch session ses_id = '.$this->id, 't3lib_userAuth');
// fetch the user session from the DB
$dbres = $this->fetchUserSessionFromDB();
$statement = $this->fetchUserSessionFromDB();
if ($statement) {
$statement->execute();
$user = $statement->fetch();
$statement->free();
}
if ($dbres && $user = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) {
if ($statement && $user) {
// A user was found
if (is_string($this->auth_timeout_field)) {
$timeout = intval($user[$this->auth_timeout_field]); // Get timeout-time from usertable
......
* @return boolean Returns true if a corresponding session was found in the database
*/
function isExistingSessionRecord($id) {
$count = $GLOBALS['TYPO3_DB']->exec_SELECTcountRows(
'ses_id',
$this->session_table,
'ses_id=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($id, $this->session_table)
);
return (($count ? true : false));
$statement = $GLOBALS['TYPO3_DB']->prepare_SELECTquery(
'COUNT(*)',
$this->session_table,
'ses_id = :ses_id'
);
$statement->execute(array(':ses_id' => $id));
$row = $statement->fetch(t3lib_db_PreparedStatement::FETCH_NUM);
$statement->free();
return (($row[0] ? TRUE : FALSE));
}
......
* then don't evaluate with the hashLockClause, as the client/browser is included in this hash
* and thus, the flash request would be rejected
*
* @return DB result object or false on error
* @return t3lib_db_PreparedStatement
* @access private
*/
protected function fetchUserSessionFromDB() {
$statement = null;
if ($GLOBALS['CLIENT']['BROWSER'] == 'flash') {
// if on the flash client, the veri code is valid, then the user session is fetched
// from the DB without the hashLock clause
if (t3lib_div::_GP('vC') == $this->veriCode()) {
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
'*',
$this->session_table.','.$this->user_table,
$this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
'.$this->ipLockClause().'
'.$this->user_where_clause()
$statement = $GLOBALS['TYPO3_DB']->prepare_SELECTquery(
'*',
$this->session_table . ',' . $this->user_table,
$this->session_table . '.ses_id = :ses_id
AND ' . $this->session_table . '.ses_name = :ses_name
AND ' . $this->session_table . '.ses_userid = ' . $this->user_table . '.' . $this->userid_column . '
' . $this->ipLockClause().'
' . $this->user_where_clause()
);
} else {
$dbres = false;
$statement->bindValues(array(
':ses_id' => $this->id,
':ses_name' => $this->name,
));
}
} else {
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
'*',
$this->session_table.','.$this->user_table,
$this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
'.$this->ipLockClause().'
'.$this->hashLockClause().'
'.$this->user_where_clause()
$statement = $GLOBALS['TYPO3_DB']->prepare_SELECTquery(
'*',
$this->session_table . ',' . $this->user_table,
$this->session_table . '.ses_id = :ses_id
AND ' . $this->session_table . '.ses_name = :ses_name
AND ' . $this->session_table . '.ses_userid = ' . $this->user_table . '.' . $this->userid_column . '
' . $this->ipLockClause() . '
' . $this->hashLockClause() . '
' . $this->user_where_clause()
);
$statement->bindValues(array(
':ses_id' => $this->id,
':ses_name' => $this->name,
));
}
return $dbres;
return $statement;
}
......
* @return string
* @access private
*/
function user_where_clause() {
protected function user_where_clause() {
return (($this->enablecolumns['rootLevel']) ? 'AND '.$this->user_table.'.pid=0 ' : '').
(($this->enablecolumns['disabled']) ? ' AND '.$this->user_table.'.'.$this->enablecolumns['disabled'].'=0' : '').
(($this->enablecolumns['deleted']) ? ' AND '.$this->user_table.'.'.$this->enablecolumns['deleted'].'=0' : '').
......
* @return string
* @access private
*/
function ipLockClause() {
protected function ipLockClause() {
if ($this->lockIP) {
$wherePart = 'AND (
'.$this->session_table.'.ses_iplock='.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->ipLockClause_remoteIPNumber($this->lockIP),$this->session_table).'
......
* @return string (Partial) IP address for REMOTE_ADDR
* @access private
*/
function ipLockClause_remoteIPNumber($parts) {
protected function ipLockClause_remoteIPNumber($parts) {
$IP = t3lib_div::getIndpEnv('REMOTE_ADDR');
if ($parts>=4) {
......
* @return string
* @access private
*/
function hashLockClause() {
protected function hashLockClause() {
$wherePart = 'AND '.$this->session_table.'.ses_hashlock='.intval($this->hashLockClause_getHashInt());
return $wherePart;
}
......
* @return integer Hash integer
* @access private
*/
function hashLockClause_getHashInt() {
protected function hashLockClause_getHashInt() {
$hashStr = '';
if (t3lib_div::inList($this->lockHashKeyWords,'useragent')) $hashStr.=':'.t3lib_div::getIndpEnv('HTTP_USER_AGENT');
typo3/sysext/cms/tslib/class.tslib_feuserauth.php (working copy)
function fetchSessionData() {
// Gets SesData if any AND if not already selected by session fixation check in ->isExistingSessionRecord()
if ($this->id && !count($this->sesData)) {
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery('*', 'fe_session_data', 'hash='.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, 'fe_session_data'));
if ($sesDataRow = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) {
$statement = $GLOBALS['TYPO3_DB']->prepare_SELECTquery(
'*',
'fe_session_data',
'hash = :hash'
);
$statement->execute(array(':hash' => $this->id));
if (($sesDataRow = $statement->fetch()) !== FALSE) {
$this->sesData = unserialize($sesDataRow['content']);
$this->sessionDataTimestamp = $sesDataRow['tstamp'];
}
$GLOBALS['TYPO3_DB']->sql_free_result($dbres);
$statement->free();
}
}
......
// Check if there are any fe_session_data records for the session ID the client claims to have
if ($count == false) {
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
'content',
'fe_session_data',
'hash=' . $GLOBALS['TYPO3_DB']->fullQuoteStr($id, 'fe_session_data')
);
if ($dbres !== false) {
if ($sesDataRow = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) {
$statement = $GLOBALS['TYPO3_DB']->prepare_SELECTquery(
'content',
'fe_session_data',
'hash = :hash'
);
$res = $statement->execute(array(':hash' => $id));
if ($res !== FALSE) {
if ($sesDataRow = $statement->fetch()) {
$count = true;
$this->sesData = unserialize($sesDataRow['content']);
}
$GLOBALS['TYPO3_DB']->sql_free_result($dbres);
$statement->free();
}
}
    (1-1/1)