Validate the access token using a strict regex pattern

author Alexander Ebert <ebert@woltlab.com>

Thu, 16 Jan 2020 16:08:06 +0000 (17:08 +0100)

committer Alexander Ebert <ebert@woltlab.com>

Thu, 16 Jan 2020 16:08:06 +0000 (17:08 +0100)
author Alexander Ebert <ebert@woltlab.com>
Thu, 16 Jan 2020 16:08:06 +0000 (17:08 +0100)
committer Alexander Ebert <ebert@woltlab.com>
Thu, 16 Jan 2020 16:08:06 +0000 (17:08 +0100)
diff --git a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php

index e8c9378047ff66612bad695997360df0c66f8611..995768b09f9b3f12f68585aa6b69bb20b99b94ee 100644 (file)
--- a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php
+++ b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php
@@ -31,28 +31,34 @@ abstract class AbstractAuthedPage extends AbstractPage {
          */
         protected function checkAccessToken() {
                 if (isset($_REQUEST['at'])) {
-                       list($userID, $token) = array_pad(explode('-', StringUtil::trim($_REQUEST['at']), 2), 2, null);
-                       
-                       if (WCF::getUser()->userID) {
-                               if ($userID == WCF::getUser()->userID && \hash_equals(WCF::getUser()->accessToken, $token)) {
-                                       // everything is fine, but we are already logged in
-                                       return;
+                       if (preg_match('~^(?P<userID>\d{1,10})-(?P<token>[a-f0-9]{40})$~', $_REQUEST['at'], $matches)) {
+                               $userID = $matches['userID'];
+                               $token = $matches['token'];
+                               
+                               if (WCF::getUser()->userID) {
+                                       if ($userID == WCF::getUser()->userID && \hash_equals(WCF::getUser()->accessToken, $token)) {
+                                               // everything is fine, but we are already logged in
+                                               return;
+                                       }
+                                       else {
+                                               // token is invalid
+                                               throw new IllegalLinkException();
+                                       }
                                 }
                                 else {
-                                       // token is invalid
-                                       throw new IllegalLinkException();
+                                       $user = new User($userID);
+                                       if (\hash_equals($user->accessToken, $token) && !$user->banned) {
+                                               // token is valid and user is not banned -> change user
+                                               SessionHandler::getInstance()->changeUser($user, true);
+                                       }
+                                       else {
+                                               // token is invalid
+                                               throw new IllegalLinkException();
+                                       }
                                 }
                         }
                         else {
-                               $user = new User($userID);
-                               if (\hash_equals($user->accessToken, $token) && !$user->banned) {
-                                       // token is valid and user is not banned -> change user
-                                       SessionHandler::getInstance()->changeUser($user, true);
-                               }
-                               else {
-                                       // token is invalid
-                                       throw new IllegalLinkException();
-                               }
+                               throw new IllegalLinkException();
                         }
                 }
         }
author	Alexander Ebert <ebert@woltlab.com>
	Thu, 16 Jan 2020 16:08:06 +0000 (17:08 +0100)
committer	Alexander Ebert <ebert@woltlab.com>
	Thu, 16 Jan 2020 16:08:06 +0000 (17:08 +0100)