[OBM Admin] user id handling change
Bán Miklós
banm at vocs.unideb.hu
Wed Nov 23 10:55:53 CET 2016
Hi All,
I've realised a weakness with user's id handling. I used the real sql
id in GET requests which wasn't a wise thing.
Therefore I changed the code to use an encrypted string instead of it.
All requests like this:
http://openbiomaps.org/projects/dinpi/index.php?userprofile&id=1
changed to something like this:
http://openbiomaps.org/projects/dinpi/index.php?userprofile&id=be19Wwd4IslHg
Only one modification necessary in the biomaps SQL database:
UPDATE users SET "user"= crypt(id::text, email)
I run it on all servers except the GEKKOs! If you have a gekko and you
would like to follow the software updates, please run this SQL code
yourself!
Later I will extend the deb package to make these kind of updates
automatically.
Miki
--
Miklós Bán, PhD
MTA-DE "Lendület" Behavioural Ecology Research Group
Department of Evolutionary Zoology, University of Debrecen
H-4010 Debrecen, Egyetem tér 1.
Phone: +36 52 512-900 ext. 62356
http://zoology.unideb.hu/?m=Miklos_Ban
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Administrator
mailing list