Author: jfthomps
Date: Mon Aug 17 16:32:17 2015
New Revision: 1696318
URL: http://svn.apache.org/r1696318
Log:
VCL-809 - Information disclosure when accessing page you don't have access to
utils.php:
-modified initGlobals: if user is authed and mode is selectauth, set $mode to
"main" (we were setting it to "home"); also added check that if $mode doesn't
exist in $actions['pages'], set $mode to "main"
-modified menulistLI: if $mymode is empty, set $mode to "main" (we were setting
it to "home")
Modified:
vcl/trunk/web/.ht-inc/utils.php
Modified: vcl/trunk/web/.ht-inc/utils.php
URL:
http://svn.apache.org/viewvc/vcl/trunk/web/.ht-inc/utils.php?rev=1696318&r1=1696317&r2=1696318&view=diff
==============================================================================
--- vcl/trunk/web/.ht-inc/utils.php (original)
+++ vcl/trunk/web/.ht-inc/utils.php Mon Aug 17 16:32:17 2015
@@ -151,7 +151,11 @@ function initGlobals() {
# end auth check
if($authed && $mode == 'selectauth')
- $mode = 'home';
+ $mode = 'main';
+
+ # check that mode is valid
+ if(! array_key_exists($mode, $actions['pages']))
+ $mode = 'main';
if(! $authed) {
# set $skin based on cookie (so it gets set before user logs in
@@ -12285,7 +12289,7 @@ function menulistLI($page) {
global $mode, $actions, $inContinuation;
$mymode = $mode;
if(empty($mymode))
- $mymode = "home";
+ $mymode = "main";
$testval = $actions['pages'][$mymode];
if($inContinuation) {
$obj = getContinuationVar('obj');
