[fix] Security risk due to cache full of different uris

This commit is contained in:
ljf 2021-07-02 17:40:17 +02:00
parent ca2a605dce
commit 6de4b10e81

View file

@ -277,15 +277,6 @@ function refresh_logged_in()
return is_logged_in
end
function log_access(user, uri)
local key = "ACC|"..user.."|"..uri
local block = cache:get(key)
if block == nil then
logger.info("User "..user.."@"..ngx.var.remote_addr.." accesses "..uri)
cache:set(key, "block", 60)
end
end
-- Check whether a user is allowed to access a URL using the `permissions` directive
-- of the configuration file
function has_access(permission, user)
@ -308,7 +299,6 @@ function has_access(permission, user)
-- The user has permission to access the content if he is in the list of allowed users
if element_is_in_table(user, permission["users"]) then
logger.debug("User "..user.." can access "..ngx.var.host..ngx.var.uri..uri_args_string())
log_access(user, ngx.var.host..ngx.var.uri..uri_args_string())
return true
else
logger.debug("User "..user.." cannot access "..ngx.var.uri)