diff options
| author | Steven Barth <steven@midlink.org> | 2008-08-11 09:59:44 +0000 |
|---|---|---|
| committer | Steven Barth <steven@midlink.org> | 2008-08-11 09:59:44 +0000 |
| commit | 673b4e1698a83c7c045a7dbff062a38740e3c750 (patch) | |
| tree | 893909484520bbd6d4ec2a03c849e3cb8210a081 | |
| parent | 4bb4304974e67bb6d76e8978d16956b437bf8775 (diff) | |
libs/web: Add an additional sanity check to Session IDs
| -rw-r--r-- | libs/web/luasrc/dispatcher.lua | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libs/web/luasrc/dispatcher.lua b/libs/web/luasrc/dispatcher.lua index b74c5bdc2..ca507bebd 100644 --- a/libs/web/luasrc/dispatcher.lua +++ b/libs/web/luasrc/dispatcher.lua @@ -172,7 +172,8 @@ function dispatch(request) local authen = authenticator[track.sysauth_authenticator] local def = (type(track.sysauth) == "string") and track.sysauth local accs = def and {track.sysauth} or track.sysauth - local user = luci.sauth.read(luci.http.getcookie("sysauth")) + local sess = luci.http.getcookie("sysauth"):match("^[A-F0-9]+$") + local user = luci.sauth.read(sess) if not luci.util.contains(accs, user) then if authen then |