fix: added missing check on length of token

thorsten · Jul 5, 2024 · 0c34d2e · 0c34d2e
1 parent 1972b84
commit 0c34d2e
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 4 deletions.
diff --git a/phpmyfaq/index.php b/phpmyfaq/index.php
@@ -826,6 +826,12 @@
 }
 
 $response->setContent($template->render());
+
+if ('logout' === $action) {
+    $response->headers->set('Cache-Control', 'no-cache, no-store, private');
+    $response->headers->set('Vary', 'Accept-Language, Accept-Encoding, Cookie');
+}
+
 $response->setCache([
     'must_revalidate'  => false,
     'no_cache'         => false,

diff --git a/phpmyfaq/src/phpMyFAQ/User/TwoFactor.php b/phpmyfaq/src/phpMyFAQ/User/TwoFactor.php
@@ -50,11 +50,15 @@ public function generateSecret(): string
     /**
      * Saves a given secret to the current user from the session.
      *
-     * @return true
+     * @param string $secret
+     * @return bool
      */
     public function saveSecret(string $secret): bool
     {
-        $user = CurrentUser::getFromSession($this->config);
+        if (strlen($secret) === 0) {
+            return false;
+        }
+        $user = CurrentUser::getCurrentUser($this->config);
         $user->setUserData(['secret' => $secret]);
         return true;
     }
@@ -70,10 +74,13 @@ public function getSecret(CurrentUser $user): string|null
     /**
      * Validates a given token. Returns true if the token is correct.
      */
-    public function validateToken(string $token, int $userid): bool
+    public function validateToken(string $token, int $userId): bool
     {
+        if (strlen($token) !== 6) {
+            return false;
+        }
         $user = new CurrentUser($this->config);
-        $user->getUserById($userid);
+        $user->getUserById($userId);
         $secret = $user->getUserData('secret');
 
         return $this->twoFactorAuth->verifyCode($secret, $token);