mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-23 23:32:40 +01:00
32f91557f8
Summary: This prevents security by obscurity. If I have read-only access to the database then I can pretend to be any logged-in user. I've used `PhabricatorHash::digest()` (even though we don't need salt as the hashed string is random) to be compatible with user log. Test Plan: Applied patch. Verified I'm still logged in. Logged out. Logged in. $ arc tasks Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D6080
22 lines
532 B
PHP
22 lines
532 B
PHP
<?php
|
|
|
|
$table = new PhabricatorUser();
|
|
$table->openTransaction();
|
|
$conn = $table->establishConnection('w');
|
|
|
|
$sessions = queryfx_all(
|
|
$conn,
|
|
'SELECT userPHID, type, sessionKey FROM %T FOR UPDATE',
|
|
PhabricatorUser::SESSION_TABLE);
|
|
|
|
foreach ($sessions as $session) {
|
|
queryfx(
|
|
$conn,
|
|
'UPDATE %T SET sessionKey = %s WHERE userPHID = %s AND type = %s',
|
|
PhabricatorUser::SESSION_TABLE,
|
|
PhabricatorHash::digest($session['sessionKey']),
|
|
$session['userPHID'],
|
|
$session['type']);
|
|
}
|
|
|
|
$table->saveTransaction();
|