cory/tildefriends
4
5
Fork 1
Code Issues 33 Pull Requests 1 Actions Releases 27 Wiki Activity

Make sure we don't leak the session string when reassigning it.

Browse Source
This commit is contained in:
Cory McWilliams 2024-04-02 12:20:59 -04:00
parent 92a74026a6
commit 0a0b0c1adb
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/httpd.js.c
View File

@ -1281,6 +1281,7 @@ static void _httpd_endpoint_login(tf_http_request_t* request)
{ {
if (!have_account && _is_name_valid(account_name) && password && confirm && strcmp(password, confirm) == 0 && _register_account(ssb, account_name, password)) if (!have_account && _is_name_valid(account_name) && password && confirm && strcmp(password, confirm) == 0 && _register_account(ssb, account_name, password))
{ {
tf_free((void*)send_session);
send_session = _make_session_jwt(ssb, account_name); send_session = _make_session_jwt(ssb, account_name);
may_become_first_admin = true; may_become_first_admin = true;
} }
@ -1295,6 +1296,7 @@ static void _httpd_endpoint_login(tf_http_request_t* request)
if (have_account && _is_name_valid(account_name) && new_password && confirm && strcmp(new_password, confirm) == 0 && _verify_password(password, account_passwd) && if (have_account && _is_name_valid(account_name) && new_password && confirm && strcmp(new_password, confirm) == 0 && _verify_password(password, account_passwd) &&
_set_account_password(context, db, account_name, new_password)) _set_account_password(context, db, account_name, new_password))
{ {
tf_free((void*)send_session);
send_session = _make_session_jwt(ssb, account_name); send_session = _make_session_jwt(ssb, account_name);
} }
else else
@ -1307,6 +1309,7 @@ static void _httpd_endpoint_login(tf_http_request_t* request)
{ {
if (have_account && *account_passwd && _verify_password(password, account_passwd)) if (have_account && *account_passwd && _verify_password(password, account_passwd))
{ {
tf_free((void*)send_session);
send_session = _make_session_jwt(ssb, account_name); send_session = _make_session_jwt(ssb, account_name);
may_become_first_admin = true; may_become_first_admin = true;
} }
@ -1318,6 +1321,7 @@ static void _httpd_endpoint_login(tf_http_request_t* request)
} }
else else
{ {
tf_free((void*)send_session);
send_session = _make_session_jwt(ssb, "guest"); send_session = _make_session_jwt(ssb, "guest");
} }
tf_free(post_form_data); tf_free(post_form_data);