fix: Security bug in session env

This commit is contained in:
JT Smith 2006-07-11 20:32:46 +00:00
parent 63b22dc502
commit a440cb5f41
10 changed files with 30 additions and 16 deletions

View file

@ -1091,7 +1091,7 @@ sub www_process {
assetId=>$self->getId,
userId=>$self->session->user->userId,
username=>$self->session->user->username,
ipAddress=>$self->session->env->get("REMOTE_ADDR"),
ipAddress=>$self->session->env->getIp,
submissionDate=>$self->session->datetime->time()
},0);
my ($var, %row, @errors, $updating, $hadErrors);

View file

@ -28,7 +28,7 @@ sub _hasVoted {
my $self = shift;
my ($hasVoted) = $self->session->db->quickArray("select count(*) from Poll_answer
where assetId=".$self->session->db->quote($self->getId)." and ((userId=".$self->session->db->quote($self->session->user->userId)."
and userId<>'1') or (userId=".$self->session->db->quote($self->session->user->userId)." and ipAddress='".$self->session->env->get("REMOTE_ADDR")."'))");
and userId<>'1') or (userId=".$self->session->db->quote($self->session->user->userId)." and ipAddress='".$self->session->env->getIp."'))");
return $hasVoted;
}
@ -412,7 +412,7 @@ sub www_vote {
my $self = shift;
my $u;
if ($self->session->form->process("answer") ne "" && $self->session->user->isInGroup($self->get("voteGroup")) && !($self->_hasVoted())) {
$self->setVote($self->session->form->process("answer"),$self->session->user->userId,$self->session->env->get("REMOTE_ADDR"));
$self->setVote($self->session->form->process("answer"),$self->session->user->userId,$self->session->env->getIp);
if ($self->session->setting->get("useKarma")) {
$self->session->user->karma($self->get("karmaPerVote"),"Poll (".$self->getId.")","Voted on this poll.");
}

View file

@ -322,7 +322,7 @@ sub getEditForm {
#-------------------------------------------------------------------
sub getIp {
my $self = shift;
my $ip = ($self->get("anonymous")) ? substr(md5_hex($self->session->env->get("REMOTE_ADDR")),0,8) : $self->session->env->get("REMOTE_ADDR");
my $ip = ($self->get("anonymous")) ? substr(md5_hex($self->session->env->getIp),0,8) : $self->session->env->getIp;
return $ip;
}