function login() {
if (!SINGLE_USER_MODE) {
+ /* if a session is started here there's a stale login cookie we need to clean */
+
+ if (session_status() != PHP_SESSION_NONE) {
+ $_SESSION["login_error_msg"] = __("Stale session cookie found, try logging in again");
+
+ header("Location: " . get_self_url_prefix());
+ exit;
+ }
$login = clean($_POST["login"]);
$password = clean($_POST["password"]);
session_set_cookie_params(0);
}
- @session_start();
-
if (authenticate_user($login, $password)) {
$_POST["password"] = "";
}
}
} else {
- $_SESSION["login_error_msg"] = __("Incorrect username or password");
+
+ // start an empty session to deliver login error message
+ @session_start();
+
+ if (!isset($_SESSION["login_error_msg"]))
+ $_SESSION["login_error_msg"] = __("Incorrect username or password");
+
user_error("Failed login attempt for $login from {$_SERVER['REMOTE_ADDR']}", E_USER_WARNING);
}
}
function cached_url() {
- @$hash = basename($_GET['hash']);
+ @$req_filename = basename($_GET['hash']);
// we don't need an extension to find the file, hash is a complete URL
- $hash = preg_replace("/\.[^\.]*$/", "", $hash);
+ $hash = preg_replace("/\.[^\.]*$/", "", $req_filename);
if ($hash) {
$filename = CACHE_DIR . '/images/' . $hash;
if (file_exists($filename)) {
- header("Content-Disposition: inline; filename=\"$hash\"");
+ header("Content-Disposition: inline; filename=\"$req_filename\"");
send_local_file($filename);