Compare session token in any case (#16448)

* Compare token if value is 0 * when session is used always verify token * also compare if a string is set * update travis Co-authored-by: sgiehl <stefan@matomo.org>
author: Thomas Steur <tsteur@users.noreply.github.com> 2020-09-30 12:33:36 +0300
committer: GitHub <noreply@github.com> 2020-09-30 12:33:36 +0300
commit: f870c8ecd4b4f30fa5108bc098c12e2ddb5d852c (patch)
tree: d5db860a415357ac2666b0dcd025d0f296d31d4b /core
parent: 071d35296aa8bf936cf4b917d883d02821037d7a (diff)
2 files changed, 16 insertions, 16 deletions
diff --git a/core/Access.php b/core/Access.php
index 87043193ad..cc308e23f8 100644
--- a/core/Access.php
+++ b/core/Access.php
@@ -166,22 +166,20 @@ class Access
         if (($forceApiSessionPost && $isApiRequest) || ($forceApiSessionGet && $isApiRequest && $isGetApiRequest)) {
             $request = ($forceApiSessionGet && $isApiRequest && $isGetApiRequest) ? $_GET : $_POST;
             $tokenAuth = Common::getRequestVar('token_auth', '', 'string', $request);
-            if (!empty($tokenAuth)) {
-                Session::start();
-                $auth = StaticContainer::get(SessionAuth::class);
-                $auth->setTokenAuth($tokenAuth);
-                $result = $auth->authenticate();
-                if (!$result->wasAuthenticationSuccessful()) {
-                    /**
-                     * Ensures brute force logic to be executed
-                     * @ignore
-                     * @internal
-                     */
-                    Piwik::postEvent('API.Request.authenticate.failed');
-                }
-                Session::close();
-                // if not successful, we will fallback to regular auth
+            Session::start();
+            $auth = StaticContainer::get(SessionAuth::class);
+            $auth->setTokenAuth($tokenAuth);
+            $result = $auth->authenticate();
+            if (!$result->wasAuthenticationSuccessful()) {
+                /**
+                 * Ensures brute force logic to be executed
+                 * @ignore
+                 * @internal
+                 */
+                Piwik::postEvent('API.Request.authenticate.failed');
             }
+            Session::close();
+            // if not successful, we will fallback to regular auth
         }
 
         // access = array ( idsite => accessIdSite, idsite2 => accessIdSite2)
diff --git a/core/Session/SessionAuth.php b/core/Session/SessionAuth.php
index 2ee3eaaef7..19e7e24e19 100644
--- a/core/Session/SessionAuth.php
+++ b/core/Session/SessionAuth.php
@@ -119,7 +119,9 @@ class SessionAuth implements Auth
 
         $this->updateSessionExpireTime($sessionFingerprint);
 
-        if (!empty($this->tokenAuth) && $this->tokenAuth !== $sessionFingerprint->getSessionTokenAuth()) {
+        if ($this->tokenAuth !== null
+            && $this->tokenAuth !== false
+            && $this->tokenAuth !== $sessionFingerprint->getSessionTokenAuth()) {
             return $this->makeAuthFailure();
         }
author	Thomas Steur <tsteur@users.noreply.github.com>	2020-09-30 12:33:36 +0300
committer	GitHub <noreply@github.com>	2020-09-30 12:33:36 +0300
commit	f870c8ecd4b4f30fa5108bc098c12e2ddb5d852c (patch)
tree	d5db860a415357ac2666b0dcd025d0f296d31d4b /core
parent	071d35296aa8bf936cf4b917d883d02821037d7a (diff)