Author: Nikita Popov (nikic) Date: 2021-04-08T14:45:33+02:00 Commit: https://github.com/php/web-master/commit/c338969072dedebd43046183d58fc5ca6e8d458c Raw diff: https://github.com/php/web-master/commit/c338969072dedebd43046183d58fc5ca6e8d458c.diff
Rotate cvsauth.php token Also use a separate token for each user of this endpoint. Changed paths: M public/fetch/cvsauth.php Diff: diff --git a/public/fetch/cvsauth.php b/public/fetch/cvsauth.php index 3456653..e0aa747 100644 --- a/public/fetch/cvsauth.php +++ b/public/fetch/cvsauth.php @@ -63,18 +63,29 @@ function exit_success() { exit; } -// Create required variables and kill MQ -$fields = ["token", "username", "password"]; -foreach($fields as $field) { - if (isset($_POST[$field])) { - $$field = $_POST[$field]; - } else { - exit_forbidden(E_UNKNOWN); - } +function is_valid_cvsauth_token($token) { + // Legacy token. + if (md5($token) === "73864a7c89d97a13368fc213075036d1") { + true; + } + + $hash = sha1($token); + return $hash === 'c3d7b24474fc689f7144bb5c2fd403d939634b7e' // bugs.php.net + || $hash === 'd4d4d68b78dc80fff48967ce8dc67e74bb87e903' // wiki.php.net + || $hash === 'e201419bb48da4d427eb67e5f3fd108506360e89' // edit.php.net + ; +} + +// Create required variables +if (!isset($_POST['token']) || !isset($_POST['username']) || !isset($_POST['password'])) { + exit_forbidden(E_UNKNOWN); } -# token required since this should only get accessed from .php.net sites -if (!isset($_REQUEST['token']) || md5($_REQUEST['token']) != "73864a7c89d97a13368fc213075036d1") { +$token = $_POST['token']; +$username = $_POST['username']; +$password = $_POST['password']; + +if (!is_valid_cvsauth_token($token)) { exit_forbidden(E_UNKNOWN); } -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php