[Pkg-owncloud-commits] [owncloud] 111/145: Security Update: session fixation
David Prévot
taffit at moszumanska.debian.org
Wed Feb 26 16:27:46 UTC 2014
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch master
in repository owncloud.
commit a422f19fac4981c494207f56a849958f2f40cbb1
Author: NARUKAWA Hiroki <nhirokinet at nhiroki.net>
Date: Fri Dec 20 03:38:51 2013 +0900
Security Update: session fixation
Previous version is vulnerable to session fixation attack in some situations, guessing non-apache-module-php5 environment. Regeneration of session id should be done here.
---
lib/private/user/session.php | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/private/user/session.php b/lib/private/user/session.php
index 1e29941..71bacfe 100644
--- a/lib/private/user/session.php
+++ b/lib/private/user/session.php
@@ -157,6 +157,7 @@ class Session implements Emitter, \OCP\IUserSession {
if($user !== false) {
if (!is_null($user)) {
if ($user->isEnabled()) {
+ session_regenerate_id(true);
$this->setUser($user);
$this->setLoginName($uid);
$this->manager->emit('\OC\User', 'postLogin', array($user, $password));
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git
More information about the Pkg-owncloud-commits
mailing list