tobias/friendica
1
0
Fork 0
Code Pull requests Activity

Bug fix: add missing changes.

Browse source
This commit is contained in:
very-ape 2021-05-20 00:19:09 -07:00
parent 9ab57de356
commit c89241dbd8
1 changed files with 12 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
src/Model/User.php
View file

@ -523,11 +523,19 @@ class User
try { try {
$user = self::getAuthenticationInfo($user_info); $user = self::getAuthenticationInfo($user_info);
} catch (Exception $e) { } catch (Exception $e) {
if (is_string($user_info)) { // Addons can create users, and creating a numeric username would create
return self::getIdFromAuthenticateHooks($user_info, $password); // abiguity with user IDs, possibly opening up an attack vector.
} else { // So let's be very careful about that.
if (is_numeric($user_info) || is_numeric($user_info['nickname'] ?? '')) {
throw $e; throw $e;
} }
$username = (is_string($user_info) ? $user_info : $user_info['nickname'] ?? '');
if (!$username) {
throw $e;
}
return self::getIdFromAuthenticateHooks($user_info, $password);
} }
if ($third_party && DI::pConfig()->get($user['uid'], '2fa', 'verified')) { if ($third_party && DI::pConfig()->get($user['uid'], '2fa', 'verified')) {
@ -590,7 +598,7 @@ class User
Hook::callAll('authenticate', $addon_auth); Hook::callAll('authenticate', $addon_auth);
if ($addon_auth['authenticated'] && $addon_auth['user_record']) { if ($addon_auth['authenticated'] && $addon_auth['user_record']) {
return $user['uid']; return $addon_auth['user_record']['uid'];
} }
throw new HTTPException\ForbiddenException(DI::l10n()->t('Login failed')); throw new HTTPException\ForbiddenException(DI::l10n()->t('Login failed'));