Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10237

Unwatching a forum/topic does not check for correct hash parameter

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.0.8, 3.0.9-RC2
    • Fix Version/s: 3.0.10-RC1
    • Component/s: Other
    • Labels:
      None

      Description

      The URL for watching/unwatching a forum/topic has a hash= parameter.

      		$s_watching['link'] = append_sid("{$phpbb_root_path}view$mode.$phpEx", "$u_url=$match_id&" . (($is_watching) ? 'unwatch' : 'watch') . "=$mode&start=$start&hash=" . generate_link_hash("{$mode}_$match_id"));

      However, the parameter is only checked when watching, but not when unwatching

      				$token = request_var('hash', '');
      				$redirect_url = append_sid("{$phpbb_root_path}view$mode.$phpEx", "$u_url=$match_id&start=$start");
       
      				if ($_GET['watch'] == $mode && check_link_hash($token, "{$mode}_$match_id"))

      The check should also be added to the unwatching code, if possible.

      bantu said, it may be because of the emails as the user_form_salt can get changed on session_create() and may than throw an error, but that can only happen if the user did not create any session yet, because he than can't get an empty user_form_salt anymore?

        Activity

        Hide
        naderman Nils Adermann added a comment -

        I think the subscribe function is intended to be usable by MODs for forums where the user isn't actually subscribed, so I would say yes.

        Show
        naderman Nils Adermann added a comment - I think the subscribe function is intended to be usable by MODs for forums where the user isn't actually subscribed, so I would say yes.
        Hide
        nickvergessen Joas Schilling added a comment -

        Well, my question was, whether it is intended that subscribing to a forum requires f_subscribe while you can subscribe to a topic without having the f_subscribe permission.

        (Note: just looked up the permission, and it is named "Can subscribe forum" so it seems to be correct like that)

        Show
        nickvergessen Joas Schilling added a comment - Well, my question was, whether it is intended that subscribing to a forum requires f_subscribe while you can subscribe to a topic without having the f_subscribe permission. (Note: just looked up the permission, and it is named "Can subscribe forum" so it seems to be correct like that)
        Hide
        bantu Andreas Fischer added a comment -

        Please also get rid of unnecesarry braces in if statements etc. you have added with PR256. See coding guidelines.

        Show
        bantu Andreas Fischer added a comment - Please also get rid of unnecesarry braces in if statements etc. you have added with PR256. See coding guidelines.
        Hide
        nickvergessen Joas Schilling added a comment -

        Fixed it and the comments form github

        Show
        nickvergessen Joas Schilling added a comment - Fixed it and the comments form github
        Hide
        brunoais brunoais added a comment -

        Tests show that the check is being made for the hash and didn't find any failures.

        Show
        brunoais brunoais added a comment - Tests show that the check is being made for the hash and didn't find any failures.

          People

          • Assignee:
            nickvergessen Joas Schilling
            Reporter:
            nickvergessen Joas Schilling
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development