summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2011-04-24 14:22:24 +0200
committerLukas Fleischer <archlinux@cryptocrack.de>2011-04-24 14:22:24 +0200
commited9c95623fcf3b46e42dfbb2596abbf4c55107a3 (patch)
tree2100240ba15bc5a0207be2449da19a24ad6fd0b4
parent9ff30614b8500b1079f301365d5f11ff5f42fc0c (diff)
downloadaurweb-ed9c95623fcf3b46e42dfbb2596abbf4c55107a3.tar.xz
pkgsubmit.php: Ensure the session is linked to a valid user.
Prevent race conditions that may occur when either the session or the user is deleted before we extract the actual user identifier. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r--web/html/pkgsubmit.php11
1 files changed, 8 insertions, 3 deletions
diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php
index 4ba0b74..f2777b7 100644
--- a/web/html/pkgsubmit.php
+++ b/web/html/pkgsubmit.php
@@ -13,7 +13,14 @@ check_sid(); # see if they're still logged in
$cwd = getcwd();
-if ($_COOKIE["AURSID"]):
+if ($_COOKIE["AURSID"]) {
+ $uid = uid_from_sid($_COOKIE['AURSID']);
+}
+else {
+ $uid = NULL;
+}
+
+if ($uid):
# Track upload errors
$error = "";
@@ -51,8 +58,6 @@ if ($_COOKIE["AURSID"]):
fclose($fh);
}
- $uid = uid_from_sid($_COOKIE['AURSID']);
-
if (!$error) {
$tar = new Archive_Tar($_FILES['pfile']['tmp_name']);