| Summary | redirect.php - bug |
| Queue | IMP |
| Queue Version | 4.1.1 |
| Type | Bug |
| State | Duplicate |
| Priority | 1. Low |
| Owners | |
| Requester | maciej.niemir (at) ilim (dot) poznan (dot) pl |
| Created | 06/05/2006 (6947 days ago) |
| Due | |
| Updated | 06/05/2006 (6947 days ago) |
| Assigned | 06/05/2006 (6947 days ago) |
| Resolved | 06/05/2006 (6947 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | |
| Patch | No |
State ⇒ Duplicate
bug 3807andhttp://cvs.horde.org/diff.php?r1=1.116.2.12&r2=1.116.2.13&f=imp%2Fredirect.php
In redirect.php is:
/* If we already have a session: */
if (isset($_SESSION['imp']) && is_array($_SESSION['imp'])) {
/* Make sure that if a username was specified, it is the current
* username. */
if (($imapuser !== null && ($imapuser == $_SESSION['imp']['user'])) &&
($pass !== null && ($pass ==
Secret::read(Secret::getKey('imp'), $_SESSION['imp']['pass'])))) {
/* Disable the old session. */
unset($_SESSION['imp']);
_redirect(Auth::addLogoutParameters(IMP::logoutUrl(),
AUTH_REASON_FAILED));
}
but it isn't correct, we should destroy old session and redirect to
"failed" only when user or password in session are different than in
$_POST, not when they are the same!
State ⇒ Feedback
block, it's much clearer what you're changing that way.
State ⇒ Unconfirmed
Priority ⇒ 1. Low
Type ⇒ Bug
Summary ⇒ redirect.php - bug
Queue ⇒ IMP
if (($imapuser !== null && ($imapuser !== $_SESSION['imp']['user'])) &&
($pass !== null && ($pass !==
Secret::read(Secret::getKey('imp'), $_SESSION['imp']['pass'])))) {
/* Disable the old session. */
unset($_SESSION['imp']);
_redirect(Auth::addLogoutParameters(IMP::logoutUrl(),
AUTH_REASON_FAILED));
}