bug fix e5

portal/messaging/secure_chat.php

@@ -45,6 +45,35 @@
     $_SERVER['REMOTE_ADDR'] = 'admin::' . $_SERVER['REMOTE_ADDR'];
 }
 
+// Ensure that username GET or POST parameters are not manipulated
+$usernameManipulatedFlag = false;
+if (!empty($_GET['username']) && ($_GET['username'] != 'currentol')) {
+    if (empty(IS_PORTAL)) {
+        if ($_GET['username'] != ADMIN_USERNAME) {
+            $usernameManipulatedFlag = true;
+        }
+    } else {
+        if ($_GET['username'] != $_SESSION['ptName']) {
+            $usernameManipulatedFlag = true;
+        }
+    }
+}
+if (!empty($_POST['username'])) {
+    if (empty(IS_PORTAL)) {
+        if ($_POST['username'] != ADMIN_USERNAME) {
+            $usernameManipulatedFlag = true;
+        }
+    } else {
+        if ($_POST['username'] != $_SESSION['ptName']) {
+            $usernameManipulatedFlag = true;
+        }
+    }
+}
+if ($usernameManipulatedFlag) {
+    http_response_code(401);
+    die(xlt("Something went wrong"));
+}
+
 use OpenEMR\Core\Header;
 use OpenEMR\PatientPortal\Chat\ChatController;