From 2fb947eb21cd14225034cc91e48a102d026bfcd2 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Thu, 7 Jun 2012 10:13:05 +0400 Subject: [PATCH] prevent session modification in public/rss --- classes/public_handler.php | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/classes/public_handler.php b/classes/public_handler.php index 51ba48fed..5b7b523b9 100644 --- a/classes/public_handler.php +++ b/classes/public_handler.php @@ -30,7 +30,7 @@ class Public_Handler extends Handler { $feed_self_url = get_self_url_prefix() . "/public.php?op=rss&id=-2&key=" . - get_feed_access_key($this->link, -2, false); + get_feed_access_key($this->link, -2, false, $owner_uid); if (!$feed_site_url) $feed_site_url = get_self_url_prefix(); @@ -294,9 +294,7 @@ class Public_Handler extends Handler { } if ($owner_id) { - $_SESSION['uid'] = $owner_id; - - $this->generate_syndicated_feed(0, $feed, $is_cat, $limit, + $this->generate_syndicated_feed($owner_id, $feed, $is_cat, $limit, $search, $search_mode, $match_on, $view_mode); } else { header('HTTP/1.1 403 Forbidden');