From ed9c95623fcf3b46e42dfbb2596abbf4c55107a3 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Sun, 24 Apr 2011 14:22:24 +0200
Subject: pkgsubmit.php: Ensure the session is linked to a valid user.

Prevent race conditions that may occur when either the session or the
user is deleted before we extract the actual user identifier.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/html/pkgsubmit.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'web')

diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index 4ba0b747..f2777b71 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -13,7 +13,14 @@ check_sid();                # see if they're still logged in
 
 $cwd = getcwd();
 
-if ($_COOKIE["AURSID"]):
+if ($_COOKIE["AURSID"]) {
+	$uid = uid_from_sid($_COOKIE['AURSID']);
+}
+else {
+	$uid = NULL;
+}
+
+if ($uid):
 
 	# Track upload errors
 	$error = "";
@@ -51,8 +58,6 @@ if ($_COOKIE["AURSID"]):
 			fclose($fh);
 		}
 
-		$uid = uid_from_sid($_COOKIE['AURSID']);
-
 		if (!$error) {
 			$tar = new Archive_Tar($_FILES['pfile']['tmp_name']);
 
-- 
cgit v1.2.3-24-g4f1b