Home Explore Help
Sign In
mirrors
/
mailcow-dockerized
mirror of https://github.com/mailcow/mailcow-dockerized
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

[Web] Important: Do not allow API actions with r/o session key, THANKS TO Samuel Oosterholt

andryyy 4 years ago
parent
a885dab0d3
commit
99ab945ae2
2 changed files with 8 additions and 1 deletions
Split View Show Diff Stats
  1. 7 0
      data/web/inc/footer.inc.php
  2. 1 1
      data/web/inc/triggers.inc.php

+ 7 - 0
data/web/inc/footer.inc.php
View File 

@@ -304,5 +304,12 @@ $(document).ready(function() {
 
 </body>
 
 </html>
 
 <?php
 
+if (isset($_SESSION['mailcow_cc_api'])) {
 
+  session_regenerate_id(true);
 
+  session_unset();
 
+  session_destroy();
 
+  session_write_close();
 
+  header("Location: /");
 
+}
 
 $stmt = null;
 
 $pdo = null;

+ 1 - 1
data/web/inc/triggers.inc.php
View File 

@@ -93,7 +93,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 
 		fido2(array("action" => "unset_fido2_key", "post_data" => $_POST));
 
 	}
 
 }
 
-if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin") {
 
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin" && !isset($_SESSION['mailcow_cc_api'])) {
 
   // TODO: Move file upload to API?
 
 	if (isset($_POST["submit_main_logo"])) {
 
     if ($_FILES['main_logo']['error'] == 0) {