Validate the access token using a strict regex pattern
authorAlexander Ebert <ebert@woltlab.com>
Thu, 16 Jan 2020 16:08:06 +0000 (17:08 +0100)
committerAlexander Ebert <ebert@woltlab.com>
Thu, 16 Jan 2020 16:08:06 +0000 (17:08 +0100)
wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php

index e8c9378047ff66612bad695997360df0c66f8611..995768b09f9b3f12f68585aa6b69bb20b99b94ee 100644 (file)
@@ -31,28 +31,34 @@ abstract class AbstractAuthedPage extends AbstractPage {
         */
        protected function checkAccessToken() {
                if (isset($_REQUEST['at'])) {
-                       list($userID, $token) = array_pad(explode('-', StringUtil::trim($_REQUEST['at']), 2), 2, null);
-                       
-                       if (WCF::getUser()->userID) {
-                               if ($userID == WCF::getUser()->userID && \hash_equals(WCF::getUser()->accessToken, $token)) {
-                                       // everything is fine, but we are already logged in
-                                       return;
+                       if (preg_match('~^(?P<userID>\d{1,10})-(?P<token>[a-f0-9]{40})$~', $_REQUEST['at'], $matches)) {
+                               $userID = $matches['userID'];
+                               $token = $matches['token'];
+                               
+                               if (WCF::getUser()->userID) {
+                                       if ($userID == WCF::getUser()->userID && \hash_equals(WCF::getUser()->accessToken, $token)) {
+                                               // everything is fine, but we are already logged in
+                                               return;
+                                       }
+                                       else {
+                                               // token is invalid
+                                               throw new IllegalLinkException();
+                                       }
                                }
                                else {
-                                       // token is invalid
-                                       throw new IllegalLinkException();
+                                       $user = new User($userID);
+                                       if (\hash_equals($user->accessToken, $token) && !$user->banned) {
+                                               // token is valid and user is not banned -> change user
+                                               SessionHandler::getInstance()->changeUser($user, true);
+                                       }
+                                       else {
+                                               // token is invalid
+                                               throw new IllegalLinkException();
+                                       }
                                }
                        }
                        else {
-                               $user = new User($userID);
-                               if (\hash_equals($user->accessToken, $token) && !$user->banned) {
-                                       // token is valid and user is not banned -> change user
-                                       SessionHandler::getInstance()->changeUser($user, true);
-                               }
-                               else {
-                                       // token is invalid
-                                       throw new IllegalLinkException();
-                               }
+                               throw new IllegalLinkException();
                        }
                }
        }