mj-saunders
/
epicyon
forked from indymedia/epicyon
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Comments

master
Bob Mottram 2019-09-06 10:45:37 +01:00
parent b1a9a47cdf
commit ec66ac56a8
1 changed files with 3 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
daemon.py
View File

@ -525,6 +525,9 @@ class PubServer(BaseHTTPRequestHandler):
tokenStr=self.headers['Cookie'].split('=',1)[1] tokenStr=self.headers['Cookie'].split('=',1)[1]
if self.server.tokensLookup.get(tokenStr): if self.server.tokensLookup.get(tokenStr):
nickname=self.server.tokensLookup[tokenStr] nickname=self.server.tokensLookup[tokenStr]
# check that the path contains the same nickname as the cookie
# otherwise it would be possible to be authorized to use
# an account you don't own
if '/'+nickname+'/' in self.path: if '/'+nickname+'/' in self.path:
return True return True
if self.path.endswith('/'+nickname): if self.path.endswith('/'+nickname):
@ -653,11 +656,6 @@ class PubServer(BaseHTTPRequestHandler):
self.server.GETbusy=False self.server.GETbusy=False
return return
if htmlGET and authorized and self.path=='/':
self.server.GETbusy=False
self._redirect_headers(actor+'/inbox',cookie)
return
# if not authorized then show the login screen # if not authorized then show the login screen
if htmlGET and self.path!='/login' and self.path!='/': if htmlGET and self.path!='/login' and self.path!='/':
if '/media/' not in self.path and \ if '/media/' not in self.path and \