From 41b4888a36d68a666995562ff3edb3e55f64b9cd Mon Sep 17 00:00:00 2001
From: Brady Miller <brady.g.miller@gmail.com>
Date: Sun, 24 Jul 2022 20:09:44 -0700
Subject: [PATCH] bug fix e5

---
 portal/messaging/secure_chat.php | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/portal/messaging/secure_chat.php b/portal/messaging/secure_chat.php
index bd33ec737b1..2f21efa7309 100644
--- a/portal/messaging/secure_chat.php
+++ b/portal/messaging/secure_chat.php
@@ -45,6 +45,35 @@
     $_SERVER['REMOTE_ADDR'] = 'admin::' . $_SERVER['REMOTE_ADDR'];
 }
 
+// Ensure that username GET or POST parameters are not manipulated
+$usernameManipulatedFlag = false;
+if (!empty($_GET['username']) && ($_GET['username'] != 'currentol')) {
+    if (empty(IS_PORTAL)) {
+        if ($_GET['username'] != ADMIN_USERNAME) {
+            $usernameManipulatedFlag = true;
+        }
+    } else {
+        if ($_GET['username'] != $_SESSION['ptName']) {
+            $usernameManipulatedFlag = true;
+        }
+    }
+}
+if (!empty($_POST['username'])) {
+    if (empty(IS_PORTAL)) {
+        if ($_POST['username'] != ADMIN_USERNAME) {
+            $usernameManipulatedFlag = true;
+        }
+    } else {
+        if ($_POST['username'] != $_SESSION['ptName']) {
+            $usernameManipulatedFlag = true;
+        }
+    }
+}
+if ($usernameManipulatedFlag) {
+    http_response_code(401);
+    die(xlt("Something went wrong"));
+}
+
 use OpenEMR\Core\Header;
 use OpenEMR\PatientPortal\Chat\ChatController;