[Phpfreechat-svn] SF.net SVN: phpfreechat:[1244] trunk/src/pfcuserconfig.class.php
Status: Beta
Brought to you by:
kerphi
Menu
▾
▴
[Phpfreechat-svn] SF.net SVN: phpfreechat:[1244] trunk/src/pfcuserconfig.class.php
|
From: <ke...@us...> - 2008-07-30 07:32:48
|
Revision: 1244
http://phpfreechat.svn.sourceforge.net/phpfreechat/?rev=1244&view=rev
Author: kerphi
Date: 2008-07-30 07:32:57 +0000 (Wed, 30 Jul 2008)
Log Message:
-----------
This revision fixes a big security hole. The nickid is a public identifier shared between all the chatters. Before this patch, the nickid was equal to the session_id without any shadow. Now the sessionid is blured. (Many thanks to DrNathan for the report)
Modified Paths:
--------------
trunk/src/pfcuserconfig.class.php
Modified: trunk/src/pfcuserconfig.class.php
===================================================================
--- trunk/src/pfcuserconfig.class.php 2008-07-29 14:10:33 UTC (rev 1243)
+++ trunk/src/pfcuserconfig.class.php 2008-07-30 07:32:57 UTC (rev 1244)
@@ -23,10 +23,10 @@
// start the session : session is used for locking purpose and cache purpose
session_name( "phpfreechat" );
if(session_id() == "") session_start();
-
- // echo "pfcUserConfig()<br>";
- $this->nickid = session_id();
+ // the nickid is a public identifier shared between all the chatters
+ // this is why the session_id must not be assigned directly to the nickid
+ $this->nickid = sha1(session_id());
// user parameters are cached in sessions
$this->_getParam("nick");
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
