diff options
author | Thomas Steur <tsteur@users.noreply.github.com> | 2020-09-30 12:33:36 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-30 12:33:36 +0300 |
commit | f870c8ecd4b4f30fa5108bc098c12e2ddb5d852c (patch) | |
tree | d5db860a415357ac2666b0dcd025d0f296d31d4b /core | |
parent | 071d35296aa8bf936cf4b917d883d02821037d7a (diff) |
Compare session token in any case (#16448)
* Compare token if value is 0
* when session is used always verify token
* also compare if a string is set
* update travis
Co-authored-by: sgiehl <stefan@matomo.org>
Diffstat (limited to 'core')
-rw-r--r-- | core/Access.php | 28 | ||||
-rw-r--r-- | core/Session/SessionAuth.php | 4 |
2 files changed, 16 insertions, 16 deletions
diff --git a/core/Access.php b/core/Access.php index 87043193ad..cc308e23f8 100644 --- a/core/Access.php +++ b/core/Access.php @@ -166,22 +166,20 @@ class Access if (($forceApiSessionPost && $isApiRequest) || ($forceApiSessionGet && $isApiRequest && $isGetApiRequest)) { $request = ($forceApiSessionGet && $isApiRequest && $isGetApiRequest) ? $_GET : $_POST; $tokenAuth = Common::getRequestVar('token_auth', '', 'string', $request); - if (!empty($tokenAuth)) { - Session::start(); - $auth = StaticContainer::get(SessionAuth::class); - $auth->setTokenAuth($tokenAuth); - $result = $auth->authenticate(); - if (!$result->wasAuthenticationSuccessful()) { - /** - * Ensures brute force logic to be executed - * @ignore - * @internal - */ - Piwik::postEvent('API.Request.authenticate.failed'); - } - Session::close(); - // if not successful, we will fallback to regular auth + Session::start(); + $auth = StaticContainer::get(SessionAuth::class); + $auth->setTokenAuth($tokenAuth); + $result = $auth->authenticate(); + if (!$result->wasAuthenticationSuccessful()) { + /** + * Ensures brute force logic to be executed + * @ignore + * @internal + */ + Piwik::postEvent('API.Request.authenticate.failed'); } + Session::close(); + // if not successful, we will fallback to regular auth } // access = array ( idsite => accessIdSite, idsite2 => accessIdSite2) diff --git a/core/Session/SessionAuth.php b/core/Session/SessionAuth.php index 2ee3eaaef7..19e7e24e19 100644 --- a/core/Session/SessionAuth.php +++ b/core/Session/SessionAuth.php @@ -119,7 +119,9 @@ class SessionAuth implements Auth $this->updateSessionExpireTime($sessionFingerprint); - if (!empty($this->tokenAuth) && $this->tokenAuth !== $sessionFingerprint->getSessionTokenAuth()) { + if ($this->tokenAuth !== null + && $this->tokenAuth !== false + && $this->tokenAuth !== $sessionFingerprint->getSessionTokenAuth()) { return $this->makeAuthFailure(); } |