From 0a0b0c1adbc09a1c9b9972bf00fa4a39aff9f143 Mon Sep 17 00:00:00 2001 From: Cory McWilliams Date: Tue, 2 Apr 2024 12:20:59 -0400 Subject: [PATCH] Make sure we don't leak the session string when reassigning it. --- src/httpd.js.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/httpd.js.c b/src/httpd.js.c index a3d77ae83..1fb74aea7 100644 --- a/src/httpd.js.c +++ b/src/httpd.js.c @@ -1281,6 +1281,7 @@ static void _httpd_endpoint_login(tf_http_request_t* request) { if (!have_account && _is_name_valid(account_name) && password && confirm && strcmp(password, confirm) == 0 && _register_account(ssb, account_name, password)) { + tf_free((void*)send_session); send_session = _make_session_jwt(ssb, account_name); may_become_first_admin = true; } @@ -1295,6 +1296,7 @@ static void _httpd_endpoint_login(tf_http_request_t* request) if (have_account && _is_name_valid(account_name) && new_password && confirm && strcmp(new_password, confirm) == 0 && _verify_password(password, account_passwd) && _set_account_password(context, db, account_name, new_password)) { + tf_free((void*)send_session); send_session = _make_session_jwt(ssb, account_name); } else @@ -1307,6 +1309,7 @@ static void _httpd_endpoint_login(tf_http_request_t* request) { if (have_account && *account_passwd && _verify_password(password, account_passwd)) { + tf_free((void*)send_session); send_session = _make_session_jwt(ssb, account_name); may_become_first_admin = true; } @@ -1318,6 +1321,7 @@ static void _httpd_endpoint_login(tf_http_request_t* request) } else { + tf_free((void*)send_session); send_session = _make_session_jwt(ssb, "guest"); } tf_free(post_form_data);