mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-04-21 14:57:19 -04:00
Code Issues Packages Projects Releases Wiki Activity

Prevent logout CSRFs (#7999)

Browse Source 
By avoiding `FreshRSS_Context::initUser()` calls
This commit is contained in:
Inverle
2025-09-25 21:52:29 +02:00
committed by GitHub
parent 960c6c88a5
commit f8b2b8c415
2 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/Controllers/javascriptController.php
View File

@@ -66,16 +66,16 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController {
header('Cache-Control: private, no-cache, no-store, must-revalidate');
header('Pragma: no-cache');
$user = $_GET['user'] ?? '';
if (!is_string($user) || $user === '') {
$user = Minz_Request::paramString('user');
if ($user === '') {
Minz_Error::error(400);
return;
}
FreshRSS_Context::initUser($user);
if (FreshRSS_Context::hasUserConf()) {
$user_conf = get_user_configuration($user);
if ($user_conf !== null) {
try {
$salt = FreshRSS_Context::systemConf()->salt;
$s = FreshRSS_Context::userConf()->passwordHash;
$s = $user_conf->passwordHash;
if (strlen($s) >= 60) {
//CRYPT_BLOWFISH Salt: "$2a$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z".
$this->view->salt1 = substr($s, 0, 29);