libs/web: Add an additional sanity check to Session IDs
authorSteven Barth <steven@midlink.org>
Mon, 11 Aug 2008 09:59:44 +0000 (09:59 +0000)
committerSteven Barth <steven@midlink.org>
Mon, 11 Aug 2008 09:59:44 +0000 (09:59 +0000)
libs/web/luasrc/dispatcher.lua

index b74c5bdc25afff419f909d768a85c6f4829e4584..ca507bebdf7fdb648e9d6830401de9a522f73b8f 100644 (file)
@@ -172,7 +172,8 @@ function dispatch(request)
                local authen = authenticator[track.sysauth_authenticator]
                local def  = (type(track.sysauth) == "string") and track.sysauth
                local accs = def and {track.sysauth} or track.sysauth
-               local user = luci.sauth.read(luci.http.getcookie("sysauth"))
+               local sess = luci.http.getcookie("sysauth"):match("^[A-F0-9]+$")
+               local user = luci.sauth.read(sess)
                
                if not luci.util.contains(accs, user) then
                        if authen then