double auth possible

author: Cassio de Campos <cassiopc@gmail.com> 2017-08-18 15:31:06 +0000
committer: Cassio de Campos <cassiopc@gmail.com> 2017-08-18 15:31:06 +0000
commit: 3af30fdde793ebe24595900740636e26dc6de7c3 (patch)
tree: 0e296f6db6d106ab20385a07c07aff0ea48c0a65 /src
parent: 9f5042d57a0656fa3d0d87e5457d3a8c8876023a (diff)
download: boca-3af30fdde793ebe24595900740636e26dc6de7c3.tar.gz
boca-3af30fdde793ebe24595900740636e26dc6de7c3.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/src/updatessh.php b/src/updatessh.php
index b0c41f0..fe9ded9 100644
--- a/src/updatessh.php
+++ b/src/updatessh.php
@@ -43,7 +43,8 @@ if(isset($_POST["data"]) && $_POST["data"] != "" ) {
   for($i = 0; $i < count($secrets); $i++) {
     $secret = explode(' ', $secrets[$i]);
     $p = myhash($secret[1] . session_id());
-    if($p == $password && $secret[0] == $name) {
+    $p2 = myhash($secret[2] . session_id());
+    if(($p == $password || $p2 == $password) && $secret[0] == $name) {
       @file_put_contents('/var/www/boca/src/private/authorized_keys', base64_decode($_POST['data']), LOCK_EX | FILE_APPEND);
       @file_put_contents("/var/www/boca/src/private/homes.log", $name . '|' . sanitizeFilename($_POST["comp"]) . '|' . date(DATE_RFC2822) . "\n", LOCK_EX | FILE_APPEND);
       if(($key = @file_get_contents('/var/www/boca/src/private/sshkey')) === false)
author	Cassio de Campos <cassiopc@gmail.com>	2017-08-18 15:31:06 +0000
committer	Cassio de Campos <cassiopc@gmail.com>	2017-08-18 15:31:06 +0000
commit	3af30fdde793ebe24595900740636e26dc6de7c3 (patch)
tree	0e296f6db6d106ab20385a07c07aff0ea48c0a65 /src
parent	9f5042d57a0656fa3d0d87e5457d3a8c8876023a (diff)
download	boca-3af30fdde793ebe24595900740636e26dc6de7c3.tar.gz boca-3af30fdde793ebe24595900740636e26dc6de7c3.zip