X-Git-Url: https://git.infodrom.org/?p=misc%2Fkostenrechnung;a=blobdiff_plain;f=lib%2Flogin.php;h=35e6160379d96b009967a3174e014f015e0e5018;hp=e45b4ecee878e0bf979bd5c3b0f5a4827ab74913;hb=a19c85f249af5dd5db7b0cc62f3ba45243bbb82d;hpb=54045459c06468518b9939531e34629eeb085f09

diff --git a/lib/login.php b/lib/login.php
index e45b4ec..35e6160 100644
--- a/lib/login.php
+++ b/lib/login.php
@@ -17,11 +17,18 @@ function check_passwd()
 
   if ($sth === false) return false;
 
+  if (substr($_SERVER['HTTP_REFERER'],-12) != '/?login=true'
+      || substr($_SERVER['SCRIPT_FILENAME'],-10) != '/index.php') {
+    error_log('Wrong referrer or wrong request uri');
+    return false;
+  }
+
   if ($row = pg_fetch_assoc($sth)) {
     $_SESSION['sys'] = array('uid' => $row['id'],
 			     'login' => $row['login'],
 			     'name' => $row['name'],
-			     'email' => $row['email']);
+			     'email' => $row['email'],
+			     'basedir' => substr($_SERVER['SCRIPT_FILENAME'],0,-9));
     return true;
   }