summaryrefslogtreecommitdiffhomepage
path: root/libs/web
diff options
context:
space:
mode:
authorSteven Barth <steven@midlink.org>2008-08-11 09:59:44 +0000
committerSteven Barth <steven@midlink.org>2008-08-11 09:59:44 +0000
commit673b4e1698a83c7c045a7dbff062a38740e3c750 (patch)
tree893909484520bbd6d4ec2a03c849e3cb8210a081 /libs/web
parent4bb4304974e67bb6d76e8978d16956b437bf8775 (diff)
libs/web: Add an additional sanity check to Session IDs
Diffstat (limited to 'libs/web')
-rw-r--r--libs/web/luasrc/dispatcher.lua3
1 files changed, 2 insertions, 1 deletions
diff --git a/libs/web/luasrc/dispatcher.lua b/libs/web/luasrc/dispatcher.lua
index b74c5bdc25..ca507bebdf 100644
--- a/libs/web/luasrc/dispatcher.lua
+++ b/libs/web/luasrc/dispatcher.lua
@@ -172,7 +172,8 @@ function dispatch(request)
local authen = authenticator[track.sysauth_authenticator]
local def = (type(track.sysauth) == "string") and track.sysauth
local accs = def and {track.sysauth} or track.sysauth
- local user = luci.sauth.read(luci.http.getcookie("sysauth"))
+ local sess = luci.http.getcookie("sysauth"):match("^[A-F0-9]+$")
+ local user = luci.sauth.read(sess)
if not luci.util.contains(accs, user) then
if authen then