Closed (won't fix)
Project:
Services
Version:
5.x-1.x-dev
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Reporter:
Created:
4 Dec 2009 at 09:34 UTC
Updated:
29 Apr 2010 at 00:26 UTC
After I have enabled the "Use sessid" options, if I call any service method with a random string as the session id, the services_method_call method do not verify for a valid session id. It only checks for an empty arg as session id.
I am providing a patch for it.
@@ -404,6 +404,9 @@
return services_error(t('Invalid sessid.'));
}
$session_backup = services_session_load($sessid);
+ if (empty($session_backup)) {
+ return services_error(t('Invalid sessid.'));
+ }
}
// Check access
Cheers!
| Comment | File | Size | Author |
|---|---|---|---|
| services.module.diff | 266 bytes | brutuscat |
Comments
Comment #1
marcingy commentedComment #2
gddAs long as it does not treat the session as an actual authenticated or privileged user, and simply treats them as anonymous, then I don't see any reason to fix this.