Author: Nikita Popov (nikic)
Date: 2021-04-08T14:45:33+02:00
Commit:
https://github.com/php/web-master/commit/c338969072dedebd43046183d58fc5ca6e8d458c
Raw diff:
https://github.com/php/web-master/commit/c338969072dedebd43046183d58fc5ca6e8d458c.diff
Rotate cvsauth.php token
Also use a separate token for each user of this endpoint.
Changed paths:
M public/fetch/cvsauth.php
Diff:
diff --git a/public/fetch/cvsauth.php b/public/fetch/cvsauth.php
index 3456653..e0aa747 100644
--- a/public/fetch/cvsauth.php
+++ b/public/fetch/cvsauth.php
@@ -63,18 +63,29 @@ function exit_success() {
exit;
}
-// Create required variables and kill MQ
-$fields = ["token", "username", "password"];
-foreach($fields as $field) {
- if (isset($_POST[$field])) {
- $$field = $_POST[$field];
- } else {
- exit_forbidden(E_UNKNOWN);
- }
+function is_valid_cvsauth_token($token) {
+ // Legacy token.
+ if (md5($token) === "73864a7c89d97a13368fc213075036d1") {
+ true;
+ }
+
+ $hash = sha1($token);
+ return $hash === 'c3d7b24474fc689f7144bb5c2fd403d939634b7e' // bugs.php.net
+ || $hash === 'd4d4d68b78dc80fff48967ce8dc67e74bb87e903' // wiki.php.net
+ || $hash === 'e201419bb48da4d427eb67e5f3fd108506360e89' // edit.php.net
+ ;
+}
+
+// Create required variables
+if (!isset($_POST['token']) || !isset($_POST['username']) ||
!isset($_POST['password'])) {
+ exit_forbidden(E_UNKNOWN);
}
-# token required since this should only get accessed from .php.net sites
-if (!isset($_REQUEST['token']) || md5($_REQUEST['token']) !=
"73864a7c89d97a13368fc213075036d1") {
+$token = $_POST['token'];
+$username = $_POST['username'];
+$password = $_POST['password'];
+
+if (!is_valid_cvsauth_token($token)) {
exit_forbidden(E_UNKNOWN);
}
--
PHP Webmaster List Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
