[BUGFIX] Information disclosure during backend login
authorHelmut Hummel <helmut.hummel@typo3.org>
Wed, 27 Jul 2011 10:27:06 +0000 (12:27 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 27 Jul 2011 10:28:24 +0000 (12:28 +0200)
Change-Id: I04cffe3eae59b281be409f70e6adaa7539a3a409
Resolves: #24456
Reviewed-on: http://review.typo3.org/3739
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_userauth.php
typo3/sysext/workspaces

index 712baf6..af56025 100644 (file)
@@ -252,6 +252,9 @@ class t3lib_userAuth {
                        // Make certain that NO user is set initially
                $this->user = '';
 
+                       // We need a PHP session session for most login levels
+               session_start();
+
                        // Check to see if anyone has submitted login-information and if so register the user with the session. $this->user[uid] may be used to write log...
                $this->checkAuthentication();
 
@@ -1299,7 +1302,6 @@ class t3lib_userAuth {
 
                                        // Check challenge stored in cookie:
                                if ($this->challengeStoredInCookie) {
-                                       session_start();
                                        if ($_SESSION['login_challenge'] !== $loginData['chalvalue']) {
                                                if ($this->writeDevLog) {
                                                        t3lib_div::devLog('PHP Session stored challenge "' . $_SESSION['login_challenge'] . '" and submitted challenge "' . $loginData['chalvalue'] . '" did not match, so authentication failed!', 't3lib_userAuth', 2);
index 37d8823..0310d43 160000 (submodule)
@@ -1 +1 @@
-Subproject commit 37d88239ebad97827bf617fc61fe872cb42fe3a0
+Subproject commit 0310d436b775143e18332e8a9ae0c698662f34f5