fix-17993-with-session-reopen.patch (1,893 bytes)
commit 5b880f31f19d7eb8378a5c089f40758f66c8b12f
Author: Damien Regad <dregad@mantisbt.org>
Date: 2015-01-02 01:32:41 +0100
Fix captcha validation
Following 7bb78e4581ff1092c811ea96582fe602624cdcdd, it was no longer
possible to validate the captcha, because the PHP session is destroyed
as part of the logout performed in signup.php.
We now retrieve the captcha key from the session before logging out, and
recreate the session variable after that.
Fixes #17993
diff --git a/core/session_api.php b/core/session_api.php
index ff1230a..9f2ab4d 100644
--- a/core/session_api.php
+++ b/core/session_api.php
@@ -171,6 +171,7 @@ class MantisPHPSession extends MantisSession {
}
unset( $_SESSION[ $this->key ] );
+ session_write_close();
}
}
diff --git a/signup.php b/signup.php
index 37f3f27..b63e772 100644
--- a/signup.php
+++ b/signup.php
@@ -37,9 +37,16 @@
$f_email = email_append_domain( trim( $f_email ) );
$f_captcha = utf8_strtolower( trim( $f_captcha ) );
+ # Retrieve captcha key now, as session might get cleared by logout
+ $t_form_key = session_get_int( CAPTCHA_KEY, null );
+
# force logout on the current user if already authenticated
if( auth_is_user_authenticated() ) {
auth_logout();
+ # Restart session and save captcha key again to ensure consistent
+ # behavior when the page is reloaded
+ session_init();
+ session_set( CAPTCHA_KEY, $t_form_key );
}
# Check to see if signup is allowed
@@ -50,8 +57,6 @@
if( ON == config_get( 'signup_use_captcha' ) && get_gd_version() > 0 &&
helper_call_custom_function( 'auth_can_change_password', array() ) ) {
- $t_form_key = session_get( CAPTCHA_KEY );
-
# captcha image requires GD library and related option to ON
$t_key = utf8_strtolower( utf8_substr( md5( config_get( 'password_confirm_hash_magic_string' ) . $t_form_key ), 1, 5) );
