首页 发现 帮助
登录
mirrors
/
mailcow-dockerized
镜像自地址 https://github.com/mailcow/mailcow-dockerized
2
0
派生 0
文件 工单管理 0 Wiki
浏览代码

prevent auth wipe out at yubi otp registration

FreddleSpl0it 3 年之前
父节点
f724662874
当前提交
cd02483b19
共有 1 个文件被更改,包括 1 次插入2 次删除
合并视图 显示文件统计
  1. 1 2
      data/web/inc/functions.inc.php

+ 1 - 2
data/web/inc/functions.inc.php
查看文件 

@@ -1240,8 +1240,7 @@ function set_tfa($_data) {
 
         $yubico_modhex_id = substr($_data["otp_token"], 0, 12);

         $yubico_modhex_id = substr($_data["otp_token"], 0, 12);

         $stmt = $pdo->prepare("DELETE FROM `tfa`

         $stmt = $pdo->prepare("DELETE FROM `tfa`

           WHERE `username` = :username

           WHERE `username` = :username

-            AND (`authmech` != 'yubi_otp')

-            OR (`authmech` = 'yubi_otp' AND `secret` LIKE :modhex)");

+            AND (`authmech` = 'yubi_otp' AND `secret` LIKE :modhex)");

         $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id));

         $stmt->execute(array(':username' => $username, ':modhex' => '%' . $yubico_modhex_id));

         $stmt = $pdo->prepare("INSERT INTO `tfa` (`key_id`, `username`, `authmech`, `active`, `secret`) VALUES

         $stmt = $pdo->prepare("INSERT INTO `tfa` (`key_id`, `username`, `authmech`, `active`, `secret`) VALUES

           (:key_id, :username, 'yubi_otp', '1', :secret)");

           (:key_id, :username, 'yubi_otp', '1', :secret)");