修复登录漏洞

helloxz · Feb 16, 2022 · cbd6aa0 · cbd6aa0
1 parent 6d886fb
commit cbd6aa0
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/controller/admin.php b/controller/admin.php
@@ -139,7 +139,7 @@ function check_auth($user,$password){
     //获取cookie
     $cookie = $_COOKIE['key'];
     //如果cookie的值和计算的key不一致，则没有权限
-    if( $cookie != $key ){
+    if( $cookie !== $key ){
         $msg = "<h3>认证失败，请<a href = 'index.php?c=login'>重新登录</a>！</h3>";
         require('templates/admin/403.php');
         exit;

diff --git a/controller/login.php b/controller/login.php
@@ -11,7 +11,7 @@
 $cookie = $_COOKIE['key'];
 
 //如果已经登录，直接跳转
-if( $cookie == $key ){
+if( $cookie === $key ){
     header('location:index.php?c=admin');
     exit;
 }
@@ -21,7 +21,7 @@
     $user = $_POST['user'];
     $pass = $_POST['password'];
     header('Content-Type:application/json; charset=utf-8');
-    if( ($user == $username) && ($pass == $password) ) {
+    if( ($user === $username) && ($pass === $password) ) {
         $key = md5($username.$password.'onenav');
         setcookie("key", $key, time()+30 * 24 * 60 * 60,"/");
         $data = [