Skip to content

Commit

Permalink
[BUGFIX] Information disclosure during backend login
Browse files Browse the repository at this point in the history 
Change-Id: I04cffe3eae59b281be409f70e6adaa7539a3a409
Resolves: #24456
Reviewed-on: http://review.typo3.org/3739
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
  • Loading branch information
@helhum @ohader
helhum authored and ohader committed Jul 27, 2011
1 parent 686631b commit 281713c
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
4 changes: 3 additions & 1 deletion t3lib/class.t3lib_userauth.php
View file
Expand Up @@ -252,6 +252,9 @@ function start() {
// Make certain that NO user is set initially
$this->user = '';

// We need a PHP session session for most login levels
session_start();

// Check to see if anyone has submitted login-information and if so register the user with the session. $this->user[uid] may be used to write log...
$this->checkAuthentication();

Expand Down Expand Up @@ -1299,7 +1302,6 @@ function compareUident($user, $loginData, $security_level = '') {

// Check challenge stored in cookie:
if ($this->challengeStoredInCookie) {
session_start();
if ($_SESSION['login_challenge'] !== $loginData['chalvalue']) {
if ($this->writeDevLog) {
t3lib_div::devLog('PHP Session stored challenge "' . $_SESSION['login_challenge'] . '" and submitted challenge "' . $loginData['chalvalue'] . '" did not match, so authentication failed!', 't3lib_userAuth', 2);
Expand Down
2 changes: 1 addition & 1 deletion typo3/sysext/workspaces
Submodule workspaces updated from 37d882 to 0310d4

0 comments on commit 281713c

Please sign in to comment.