From c2e808cc2420f8d870ac0a4aa9cc1f2c90562428 Mon Sep 17 00:00:00 2001
From: Florian Schlichting <fsfs@debian.org>
Date: Sat, 4 Apr 2020 18:10:57 +0200
Subject: [PATCH 2/2] Disallow current time as a session key (fix: #19,
 CVE-2020-11728)

We never set a cookie with the (md5 of the) current time as session key,
so there's no need to allow logging in with this brute-force guessable
value.
---
 inc/Session.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/inc/Session.php b/inc/Session.php
index c8f677b..75f429f 100644
--- a/inc/Session.php
+++ b/inc/Session.php
@@ -173,9 +173,9 @@ class Session
     else {
       $sql = "SELECT session.*, usr.* FROM session JOIN usr USING ( user_no )";
     }
-    $sql .= " WHERE session.session_id = ? AND (md5(session.session_start::text) = ? OR session.session_key = ?) ORDER BY session.session_start DESC LIMIT 2";
+    $sql .= " WHERE session.session_id = ? AND session.session_key = ? ORDER BY session.session_start DESC LIMIT 2";
 
-    $qry = new AwlQuery($sql, $session_id, $session_key, $session_key);
+    $qry = new AwlQuery($sql, $session_id, $session_key);
     if ( $qry->Exec('Session') && 1 == $qry->rows() ) {
       $this->AssignSessionDetails( $qry->Fetch() );
       $qry = new AwlQuery('UPDATE session SET session_end = current_timestamp WHERE session_id=?', $session_id);
@@ -384,9 +384,9 @@ class Session
             else {
               $sql = "SELECT session.*, usr.* FROM session JOIN usr USING ( user_no )";
             }
-            $sql .= " WHERE session.session_id = ? AND (md5(session.session_start::text) = ? OR session.session_key = ?) ORDER BY session.session_start DESC LIMIT 2";
+            $sql .= " WHERE session.session_id = ? AND session.session_key = ? ORDER BY session.session_start DESC LIMIT 2";
 
-            $qry = new AwlQuery($sql, $session_id, $session_key, $session_key);
+            $qry = new AwlQuery($sql, $session_id, $session_key);
             if ( $qry->Exec('Session') && 1 == $qry->rows() ) {
               $this->AssignSessionDetails( $qry->Fetch() );
             }
-- 
2.25.1

