Mitigates vulnerability in API authentication introduced in r3218.

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Wed, 6 Jul 2011 19:02:58 +0000 (19:02 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Wed, 6 Jul 2011 19:02:58 +0000 (19:02 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Wed, 6 Jul 2011 19:02:58 +0000 (19:02 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Wed, 6 Jul 2011 19:02:58 +0000 (19:02 +0000)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb

index e3f768645e37ca84592ed5ece75b7dd4b8cf4804..e23f8b10892b85c3dffed267219aa8ef1f10acac 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -71,7 +71,7 @@ class ApplicationController < ActionController::Base
        user = User.try_to_autologin(cookies[:autologin])
        session[:user_id] = user.id if user
        user
-    elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
+    elsif params[:format] == 'atom' && request.get? && params[:key] && accept_key_auth_actions.include?(params[:action])
        # RSS key authentication does not start a session
        User.find_by_rss_key(params[:key])
      elsif Setting.rest_api_enabled? && api_request?
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Wed, 6 Jul 2011 19:02:58 +0000 (19:02 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Wed, 6 Jul 2011 19:02:58 +0000 (19:02 +0000)