Bugfix (security): fail session id check on undetermined condition
authorPaul Hänsch <paul@plutz.net>
Thu, 30 May 2019 11:50:13 +0000 (13:50 +0200)
committerPaul Hänsch <paul@plutz.net>
Thu, 30 May 2019 11:50:13 +0000 (13:50 +0200)
session.sh

index 5bf8fad..8ed8d88 100755 (executable)
@@ -62,9 +62,9 @@ update_session(){
   checksig="${checksig%% *}"
   d=$(date +%s)
   
-  if [ "$checksig" != "$sig" \
-    -o "$time" -lt "$d" \
-    -o ! "$(printf %s "$sid" |checkid)" ] 2>&-
+  if ! [ "$checksig" = "$sig" \
+    -a "$time" -ge "$d" \
+    -a "$(printf %s "$sid" |checkid)" ] 2>&-
   then
     debug Setting up new session
     sid="$(randomid)"