diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-04-24 14:22:24 +0200 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-04-24 14:22:24 +0200 |
commit | ed9c95623fcf3b46e42dfbb2596abbf4c55107a3 (patch) | |
tree | 2100240ba15bc5a0207be2449da19a24ad6fd0b4 | |
parent | 9ff30614b8500b1079f301365d5f11ff5f42fc0c (diff) | |
download | aur-ed9c95623fcf3b46e42dfbb2596abbf4c55107a3.tar.gz aur-ed9c95623fcf3b46e42dfbb2596abbf4c55107a3.tar.xz |
pkgsubmit.php: Ensure the session is linked to a valid user.
Prevent race conditions that may occur when either the session or the
user is deleted before we extract the actual user identifier.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r-- | web/html/pkgsubmit.php | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 4ba0b747..f2777b71 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -13,7 +13,14 @@ check_sid(); # see if they're still logged in $cwd = getcwd(); -if ($_COOKIE["AURSID"]): +if ($_COOKIE["AURSID"]) { + $uid = uid_from_sid($_COOKIE['AURSID']); +} +else { + $uid = NULL; +} + +if ($uid): # Track upload errors $error = ""; @@ -51,8 +58,6 @@ if ($_COOKIE["AURSID"]): fclose($fh); } - $uid = uid_from_sid($_COOKIE['AURSID']); - if (!$error) { $tar = new Archive_Tar($_FILES['pfile']['tmp_name']); |