From patchwork Sun Apr 5 15:06:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lukas Fleischer X-Patchwork-Id: 1575 Return-Path: Delivered-To: patchwork@archlinux.org Received: from apollo.archlinux.org (localhost [127.0.0.1]) by apollo.archlinux.org (Postfix) with ESMTP id 300E418070D74 for ; Sun, 5 Apr 2020 15:06:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on apollo.archlinux.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1, MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_MED=-2.3,SPF_HELO_NONE=0.001, T_DMARC_POLICY_NONE=0.01 autolearn=ham autolearn_force=no version=3.4.4 X-Spam-BL-Results: [127.0.9.2] Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70]) by apollo.archlinux.org (Postfix) with ESMTPS for ; Sun, 5 Apr 2020 15:06:27 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id 433181AC2E0F06; Sun, 5 Apr 2020 15:06:17 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: luna) by orion.archlinux.org (Postfix) with ESMTPSA id 063751AC2E0F00; Sun, 5 Apr 2020 15:06:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=orion; t=1586099177; bh=2Fq7IpVA20h2yPK0cbb/YO4yfq9itstbA33e3TqwO0I=; h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=USIriHs5YmGCwoIJ/eRni00aXF9frUGaxZgTzmXKanlkZM0jSPO69HmB7Mle2XkUS 6wvuT7A/duHdaM0STwHwivoi0OVNAMBwBBeRCrx0FEJujJYWIO2kx5BEoAwCGxEMEs 8goghZB2zcMZN+ZfiA9n/AsCjxpt+7jJW9LLmiyYGXYsrXsyGKZaT9IvXQF5kGKyjI NVuwzyxnLMVwp2yzmSwOxmkf7TWf9aKFtEkVEqXIgpFAfAiLKX7P9+HOHRefU1uDo4 cLSHYAR5M4u6etACVi93CVc/OetqhBbR5s2c9suZtiUCe0cYjC5xH9LhGw8PEmddB+ TBSlCiSleK+0FJQTVX84NSw892KJAuPQlPXDymvSPOVQ6V7JzPoK0LMya7lx5FBZyA MKF3lZJrbrPXgPEKblQOwLMBTTH3sIznyVgzcHWESs+HL9nK0Qj6RgonWP20ysap5/ Ub31dacFekZeDWeSoEBdg0U+5TSJep7s8k+LhvK1F9ePQRG0IFFzPWhbeZaeSUV4K1 gLU3tVgsbXJTf62t3VNJ8jD4l+KdPKRW26Im/R9xGHaHtUods96hb1n2Hhl2+4jAVb S8g/1xyjSeJPC41kG1pw8/hHUdqTt7V2xHcdaIQxtCPiFPv6SfdXoY6HXE5AW8/ZJZ zBYwRFcs3GLQuCLeI9o9Yc7s= Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id DDF552B28C; Sun, 5 Apr 2020 15:06:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=luna2; t=1586099176; bh=2Fq7IpVA20h2yPK0cbb/YO4yfq9itstbA33e3TqwO0I=; h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=NervUAQVoauYi7IgdDUnhtRINDhJWQE02TCkWrp5GtmYbK9bStW+//kWj4osOMel6 ehMBz7LIc52Lp5QAD7omOEKu8K9viTciKpdsgeGGOALYG03c4Vs4Q5V521qsvHp+rN mZ/yu4Kci5rwTKuUTYNtSzcQxRGCu+h+uPBkuy4/nt1jzrOswD7BPCtNJy6utn39cM 2nY7+DbrybXwASqe6zzRUKtJHRqMrGwzYFP33iL9V0r1wtJy+K4cVzb/XcssENtkPs wjnUUWpfE+OVdJPk/n+w6dVMZSkaW2rFY2WVRDUyxlk4eTzXy+gva5IvItiVH/jOYE s4OF9DNInPZV3+fF8+b9K2W0y0JJ/pUQmZWU+gd9Hp7K2QxipVM3eGFjA+CvwYlmYC Dne4IvmNZbcgwZkytWmd3qT3cFg3nw/4zHNLp0HdmwPcq2OsWq1zwgHbmPUWHsno14 VM3g1sApKGjEMBvBBQ0F2l/dXprAW7fNGUeTHDlvs+caqaLsWsp9YJCmmvihtpCmqD H1Yn8uqQoT4xLzK8CzUIADnMcPUHmtTMdjLPnSXRB/gMZXSLLehuoHMWw/lnbI6drR Ik9whDku94rGzXdxRWLMEAGtcgDJ7C9/ON2vNNuVud6T8rUPClVfY0pjMz++rfvAPn zEFuWyn5/W12ytixdtrOaf7I= Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 405A32A93F for ; Sun, 5 Apr 2020 15:06:14 +0000 (UTC) Received: from orion.archlinux.org (orion.archlinux.org [IPv6:2a01:4f8:160:6087::1]) by luna.archlinux.org (Postfix) with ESMTPS for ; Sun, 5 Apr 2020 15:06:14 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id 688B41AC2E0EF6 for ; Sun, 5 Apr 2020 15:06:09 +0000 (UTC) Received: from localhost (unknown [72.138.14.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: lfleischer) by orion.archlinux.org (Postfix) with ESMTPSA id E57431AC2E0EF4 for ; Sun, 5 Apr 2020 15:06:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=orion; t=1586099169; bh=2Fq7IpVA20h2yPK0cbb/YO4yfq9itstbA33e3TqwO0I=; h=From:To:Subject:Date; b=M97uhTUuOsHfKbbzi9QkCiB2cPWLtzIpnWmH6+aMbWTrWCyfFpaa+fzTcUjOHRv0h WT+6NAQCSqkFPPS3akrGAAMfP5Xtp7mLOZAdzdi803w11IF5pdZtz1XhCak7a11Mhl oJyb5bW6shMrLGhk6UgsOc3gd52gd4COYYprf9lwtObmMCR/gWo+BO+cH2QVnzJGM4 D0Od0ZH3+wmXoW5TMXp7r9iPEccEDGL/mWG6y59022IAx7Z6+1Cz3szZKKLnfnFioK JIjRPF80ffjU7BUxPsp4aNW9KEAXUgZbK/WIHkptZDPp8QROmCLaHNS7sl0l4atRlq Kmh2FW+akunaGynOfwqgIlLHJsVcppIt7q9jo75BoEkqT/XwH3IyGfDWcpWJYB3Kg+ 5bBgqdbvEjy79z4rXA/Bz5cV85mh/X6/jxrTkvpj8RnvXrPK67D7pYeVJTA0z+MbZm PNKvY3fIUCGjVHWcbVokRNKBplwVSquaTEWBISg4nd0AcJixzQigmHms8EaBctdkKF TZZJ+EinircT7K0Yw1IsioazLoAqeSfr1v9ffYZ+Nv+DVFqzQf9k4TXa8UUFyjE/Lz oIJxxW308qvQXnhOElTob1/srYphaqIUCfe1N5AsBYDimDTKvxjVh9DFX432UBA8sn ruoMx1i0S02EQjgfQEBoQYSI= From: Lukas Fleischer To: aur-dev@archlinux.org Subject: [PATCH 1/2] Fix invalid session ID check Date: Sun, 5 Apr 2020 11:06:05 -0400 Message-Id: <20200405150606.26586-1-lfleischer@archlinux.org> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 X-BeenThere: aur-dev@archlinux.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Arch User Repository \(AUR\) Development" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: aur-dev-bounces@archlinux.org Sender: "aur-dev" Signed-off-by: Lukas Fleischer --- web/lib/aur.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index dbcc23a..f4ad6b4 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -50,7 +50,7 @@ function check_sid() { $result = $dbh->query($q); $row = $result->fetch(PDO::FETCH_NUM); - if (!$row[0]) { + if (!$row) { # Invalid SessionID - hacker alert! # $failed = 1;