Index: t3lib/class.t3lib_beuserauth.php =================================================================== --- t3lib/class.t3lib_beuserauth.php (Revision 6911) +++ t3lib/class.t3lib_beuserauth.php (Arbeitskopie) @@ -364,49 +364,6 @@ } } - /** - * VeriCode returns 10 first chars of a md5 hash of the session cookie AND the encryptionKey from TYPO3_CONF_VARS. - * This code is used as an alternative verification when the JavaScript interface executes cmd's to tce_db.php from eg. MSIE 5.0 because the proper referer is not passed with this browser... - * - * @return string - */ - function veriCode() { - return substr(md5($this->id.$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']),0,10); - } - - - /** - * The session_id is used to find user in the database. - * Two tables are joined: The session-table with user_id of the session and the usertable with its primary key - * if the client is flash (e.g. from a flash application inside TYPO3 that does a server request) - * then don't evaluate with the hashLockClause, as the client/browser is included in this hash - * and thus, the flash request would be rejected - * - * @return DB result object or false on error - * @access private - */ - protected function fetchUserSessionFromDB() { - if ($GLOBALS['CLIENT']['BROWSER'] == 'flash') { - // if on the flash client, the veri code is valid, then the user session is fetched - // from the DB without the hashLock clause - if (t3lib_div::_GP('vC') == $this->veriCode()) { - $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery( - '*', - $this->session_table.','.$this->user_table, - $this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).' - AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).' - AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.' - '.$this->ipLockClause().' - '.$this->user_where_clause() - ); - } else { - $dbres = false; - } - } else { - $dbres = parent::fetchUserSessionFromDB(); - } - return $dbres; - } } Index: t3lib/class.t3lib_userauth.php =================================================================== --- t3lib/class.t3lib_userauth.php (Revision 6911) +++ t3lib/class.t3lib_userauth.php (Arbeitskopie) @@ -842,11 +842,33 @@ /** * The session_id is used to find user in the database. * Two tables are joined: The session-table with user_id of the session and the usertable with its primary key + * if the client is flash (e.g. from a flash application inside TYPO3 that does a server request) + * then don't evaluate with the hashLockClause, as the client/browser is included in this hash + * and thus, the flash request would be rejected + * * @return DB result object or false on error * @access private */ protected function fetchUserSessionFromDB() { - $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery( + + if ($GLOBALS['CLIENT']['BROWSER'] == 'flash') { + // if on the flash client, the veri code is valid, then the user session is fetched + // from the DB without the hashLock clause + if (t3lib_div::_GP('vC') == $this->veriCode()) { + $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery( + '*', + $this->session_table.','.$this->user_table, + $this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).' + AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).' + AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.' + '.$this->ipLockClause().' + '.$this->user_where_clause() + ); + } else { + $dbres = false; + } + } else { + $dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery( '*', $this->session_table.','.$this->user_table, $this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).' @@ -855,7 +877,8 @@ '.$this->ipLockClause().' '.$this->hashLockClause().' '.$this->user_where_clause() - ); + ); + } return $dbres; } @@ -914,6 +937,16 @@ } /** + * VeriCode returns 10 first chars of a md5 hash of the session cookie AND the encryptionKey from TYPO3_CONF_VARS. + * This code is used as an alternative verification when the JavaScript interface executes cmd's to tce_db.php from eg. MSIE 5.0 because the proper referer is not passed with this browser... + * + * @return string + */ + function veriCode() { + return substr(md5($this->id . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), 0, 10); + } + + /** * This returns the where-clause needed to lock a user to a hash integer * * @return string