From 42dd60edad6c3533f6b718e731d43661641fd1fc Mon Sep 17 00:00:00 2001
From: Nils Adermann <naderman@naderman.de>
Date: Tue, 29 May 2012 14:54:04 +0200
Subject: [ticket/10913] Redirect to index if session id is required but was
 not sent

PHPBB3-10913
---
 phpBB/includes/session.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'phpBB/includes/session.php')

diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php
index a894242a39..496c12a0d1 100644
--- a/phpBB/includes/session.php
+++ b/phpBB/includes/session.php
@@ -322,8 +322,15 @@ class session
 			}
 		}
 
-		// Is session_id is set or session_id is set and matches the url param if required
-		if (!empty($this->session_id) && (!defined('NEED_SID') || (isset($_GET['sid']) && $this->session_id === $_GET['sid'])))
+		// if no session id is set, redirect to index.php
+		if (defined('NEED_SID') && (!isset($_GET['sid']) || $this->session_id !== $_GET['sid']))
+		{
+			send_status_line(401, 'Not authorized');
+			redirect(append_sid("{$phpbb_root_path}index.$phpEx"));
+		}
+
+		// if session id is set
+		if (!empty($this->session_id))
 		{
 			$sql = 'SELECT u.*, s.*
 				FROM ' . SESSIONS_TABLE . ' s, ' . USERS_TABLE . " u
-- 
cgit v1.2.1