Sulkta-OSS/dynmap-neoforge
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #2475 from Ry0taK/v3.0

Browse source 
Fix required login bypass vulnerability
This commit is contained in:
mikeprimm 2019-05-04 11:28:31 -05:00 committed by GitHub
commit 641f142cd3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
DynmapCore/src/main/java/org/dynmap/servlet/MapStorageResourceHandler.java
View file

@ -46,7 +46,11 @@ public class MapStorageResourceHandler extends AbstractHandler {
int soff = 0, eoff; int soff = 0, eoff;
// We're handling this request // We're handling this request
baseRequest.setHandled(true); baseRequest.setHandled(true);
if(core.getLoginRequired()
&& request.getSession(true).getAttribute(LoginServlet.USERID_ATTRIB) == null){
response.sendError(HttpStatus.UNAUTHORIZED_401);
return;
}
if (path.charAt(0) == '/') soff = 1; if (path.charAt(0) == '/') soff = 1;
eoff = path.indexOf('/', soff); eoff = path.indexOf('/', soff);
if (soff < 0) { if (soff < 0) {