Fix security issue: check password before generate a LaTeX document

2012-02-07 10:39:27 +01:00 · 2012-02-07 10:39:27 +01:00 · 47372cf211
commit 47372cf211
parent 92e135f5d6
1 changed files with 7 additions and 4 deletions
--- a/htdocs/gen.php
+++ b/htdocs/gen.php
@ -57,7 +57,7 @@ foreach ($_GET as $k => $t)
    <meta charset="UTF-8">
    <title>.: Pommultimédia - Paste :.</title>
    <link href="style.css" rel="stylesheet" type="text/css">
-    <link href="favicon.ico" type="image/x-icon" rel="shortcut icon"/>
+    <link href="favicon.ico" type="image/x-icon" rel="shortcut icon">
  </head>
  <body>
    <div id="corps" style="text-align: center;">
@ -84,9 +84,12 @@ foreach ($_GET as $k => $t)
      if (!empty($paste->crypt))
      {
        if (!empty($_POST["passwd"]))
-          $paste->crypt($_POST["passwd"]);
-        else
-          $paste->crypt($t);
+          $t = $_POST["passwd"];
+
+        $paste->crypt($t);
+
+        if ($paste->crypt != sha1($t))
+          die ("Bad password");
      }

      $filename = "../gen/".$paste->fileref;