From: Alexander Ebert <ebert@woltlab.com>
Date: Thu, 16 Jan 2020 16:08:06 +0000 (+0100)
Subject: Validate the access token using a strict regex pattern
X-Git-Tag: 5.2.2~52
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=33989f299121bfb3b82c40f3257f404fc23b3c1c;p=GitHub%2FWoltLab%2FWCF.git

Validate the access token using a strict regex pattern
---

diff --git a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php
index e8c9378047..995768b09f 100644
--- a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php
+++ b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php
@@ -31,28 +31,34 @@ abstract class AbstractAuthedPage extends AbstractPage {
 	 */
 	protected function checkAccessToken() {
 		if (isset($_REQUEST['at'])) {
-			list($userID, $token) = array_pad(explode('-', StringUtil::trim($_REQUEST['at']), 2), 2, null);
-			
-			if (WCF::getUser()->userID) {
-				if ($userID == WCF::getUser()->userID && \hash_equals(WCF::getUser()->accessToken, $token)) {
-					// everything is fine, but we are already logged in
-					return;
+			if (preg_match('~^(?P<userID>\d{1,10})-(?P<token>[a-f0-9]{40})$~', $_REQUEST['at'], $matches)) {
+				$userID = $matches['userID'];
+				$token = $matches['token'];
+				
+				if (WCF::getUser()->userID) {
+					if ($userID == WCF::getUser()->userID && \hash_equals(WCF::getUser()->accessToken, $token)) {
+						// everything is fine, but we are already logged in
+						return;
+					}
+					else {
+						// token is invalid
+						throw new IllegalLinkException();
+					}
 				}
 				else {
-					// token is invalid
-					throw new IllegalLinkException();
+					$user = new User($userID);
+					if (\hash_equals($user->accessToken, $token) && !$user->banned) {
+						// token is valid and user is not banned -> change user
+						SessionHandler::getInstance()->changeUser($user, true);
+					}
+					else {
+						// token is invalid
+						throw new IllegalLinkException();
+					}
 				}
 			}
 			else {
-				$user = new User($userID);
-				if (\hash_equals($user->accessToken, $token) && !$user->banned) {
-					// token is valid and user is not banned -> change user
-					SessionHandler::getInstance()->changeUser($user, true);
-				}
-				else {
-					// token is invalid
-					throw new IllegalLinkException();
-				}
+				throw new IllegalLinkException();
 			}
 		}
 	}