diff options
| author | Paul S. Owen <psotfx@users.sourceforge.net> | 2005-07-05 01:53:34 +0000 |
|---|---|---|
| committer | Paul S. Owen <psotfx@users.sourceforge.net> | 2005-07-05 01:53:34 +0000 |
| commit | 54e379ffe30491a1019ca6c84f953a3e03051b4c (patch) | |
| tree | fc5d5bd4e3efdaa887f1131c477be8173dff5868 | |
| parent | cfa87f2407bc0eed217127dda9f96b74fbefc92d (diff) | |
| download | forums-54e379ffe30491a1019ca6c84f953a3e03051b4c.tar forums-54e379ffe30491a1019ca6c84f953a3e03051b4c.tar.gz forums-54e379ffe30491a1019ca6c84f953a3e03051b4c.tar.bz2 forums-54e379ffe30491a1019ca6c84f953a3e03051b4c.tar.xz forums-54e379ffe30491a1019ca6c84f953a3e03051b4c.zip | |
sigh
git-svn-id: file:///svn/phpbb/trunk@5179 89ea8834-ac86-4346-8a33-228a782c2dd0
| -rw-r--r-- | phpBB/includes/session.php | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 585aa37d83..c0ed0cb350 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -52,14 +52,15 @@ class session $this->page .= (isset($_POST['f'])) ? 'f=' . intval($_POST['f']) : ''; $this->cookie_data = array(); - if (isset($_COOKIE[$config['cookie_name'] . '_sid']) || isset($_COOKIE[$config['cookie_name'] . '_data'])) - { - // Santise k? Is there a need? It's escaped for DB entry in relevant location - // and isn't used directly anywhere else (nor should it!) - $this->cookie_data['u'] = (!empty($_COOKIE[$config['cookie_name'] . '_u'])) ? (int) $_COOKIE[$config['cookie_name'] . '_u'] : 0; - $this->cookie_data['k'] = (!empty($_COOKIE[$config['cookie_name'] . '_k'])) ? (string) $_COOKIE[$config['cookie_name'] . '_k'] : ''; + if (isset($_COOKIE[$config['cookie_name'] . '_sid']) || isset($_COOKIE[$config['cookie_name'] . '_u'])) + { + // Switch to request_var ... can this cause issues, can a _GET/_POST param + // be used to poison this? Not sure that it makes any difference in terms of + // the end result, be it a cookie or param. + $this->cookie_data['u'] = request_var($config['cookie_name'] . '_u', 0); + $this->cookie_data['k'] = request_var($config['cookie_name'] . '_k', ''); + $this->session_id = request_var($config['cookie_name'] . '_sid', ''); - $this->session_id = request_var($config['cookie_name'] . '_sid', ''); $SID = (defined('NEED_SID')) ? '?sid=' . $this->session_id : '?sid='; } else |