From 33989f299121bfb3b82c40f3257f404fc23b3c1c Mon Sep 17 00:00:00 2001 From: Alexander Ebert Date: Thu, 16 Jan 2020 17:08:06 +0100 Subject: [PATCH] Validate the access token using a strict regex pattern --- .../lib/page/AbstractAuthedPage.class.php | 40 +++++++++++-------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php index e8c9378047..995768b09f 100644 --- a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php +++ b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php @@ -31,28 +31,34 @@ abstract class AbstractAuthedPage extends AbstractPage { */ protected function checkAccessToken() { if (isset($_REQUEST['at'])) { - list($userID, $token) = array_pad(explode('-', StringUtil::trim($_REQUEST['at']), 2), 2, null); - - if (WCF::getUser()->userID) { - if ($userID == WCF::getUser()->userID && \hash_equals(WCF::getUser()->accessToken, $token)) { - // everything is fine, but we are already logged in - return; + if (preg_match('~^(?P\d{1,10})-(?P[a-f0-9]{40})$~', $_REQUEST['at'], $matches)) { + $userID = $matches['userID']; + $token = $matches['token']; + + if (WCF::getUser()->userID) { + if ($userID == WCF::getUser()->userID && \hash_equals(WCF::getUser()->accessToken, $token)) { + // everything is fine, but we are already logged in + return; + } + else { + // token is invalid + throw new IllegalLinkException(); + } } else { - // token is invalid - throw new IllegalLinkException(); + $user = new User($userID); + if (\hash_equals($user->accessToken, $token) && !$user->banned) { + // token is valid and user is not banned -> change user + SessionHandler::getInstance()->changeUser($user, true); + } + else { + // token is invalid + throw new IllegalLinkException(); + } } } else { - $user = new User($userID); - if (\hash_equals($user->accessToken, $token) && !$user->banned) { - // token is valid and user is not banned -> change user - SessionHandler::getInstance()->changeUser($user, true); - } - else { - // token is invalid - throw new IllegalLinkException(); - } + throw new IllegalLinkException(); } } } -- 2.20.1