Close session when sending binary files. Could create a race condition with tryLogUserFromCookie.

Author: cdujeu

core/src/core/classes/class.ConfService.php

@@ -462,11 +462,10 @@ public function switchRootDirInst($rootDirIndex=-1, $temporary=false)
                 }
             }
         } else {
-            /*
-            if (isSet($this->configs["REPOSITORY"]) && $this->configs["REPOSITORY"] == $rootDirIndex) {
-                return;
+            $object = self::getRepositoryById($rootDirIndex);
+            if($object == null || !self::repositoryIsAccessible($rootDirIndex, $object)) {
+                throw new Exception("Trying to switch to an unauthorized repository");
             }
-            */
             if ($temporary && (isSet($_SESSION['REPO_ID']) || $this->contextRepositoryId != null)) {
                 $crtId =  self::$useSession ? $_SESSION['REPO_ID']  : $this->contextRepositoryId;
                 if ($crtId != $rootDirIndex && !isSet($_SESSION['SWITCH_BACK_REPO_ID'])) {

core/src/plugins/core.conf/class.AbstractConfDriver.php

@@ -1241,6 +1241,7 @@ public function switchAction($action, $httpVars, $fileVars)
                 if (isSet($httpVars["tmp_file"])) {
                     $file = AJXP_Utils::getAjxpTmpDir()."/".AJXP_Utils::securePath($httpVars["tmp_file"]);
                     if (isSet($file)) {
+                        session_write_close();
                         header("Content-Type:image/png");
                         readfile($file);
                     }
@@ -1253,12 +1254,14 @@ public function switchAction($action, $httpVars, $fileVars)
                     } else {
                         $context = array();
                     }
+                    session_write_close();
                     $this->loadBinary($context, AJXP_Utils::sanitize($httpVars["binary_id"], AJXP_SANITIZE_ALPHANUM));
                 }
             break;
 
             case "get_global_binary_param" :
 
+                session_write_close();
                 if (isSet($httpVars["tmp_file"])) {
                     $file = AJXP_Utils::getAjxpTmpDir()."/".AJXP_Utils::securePath($httpVars["tmp_file"]);
                     if (isSet($file)) {

core/src/plugins/core.notifications/class.AJXP_NotificationCenter.php

@@ -136,7 +136,7 @@ public function loadUserFeed($actionName, $httpVars, $fileVars)
         if(!$this->eventStore) return array();
         $u = AuthService::getLoggedUser();
         if ($u == null) {
-            if($httpVars["format"] == "html") return array();
+            if($httpVars["format"] == "html" || $httpVars["format"] == "array") return array();
             AJXP_XMLWriter::header();
             AJXP_XMLWriter::close();
             return array();

core/src/plugins/gui.ajax/res/js/es6/Pydio.es6

@@ -114,7 +114,9 @@ class Pydio extends Observable{
             if(this.UI.modal) this.UI.modal.initForms();
             this.UI.initObjects();
 
-            PydioApi.getClient().tryToLogUserFromRememberData();
+            if(!this.user) {
+                PydioApi.getClient().tryToLogUserFromRememberData();
+            }
             this.fire("registry_loaded", this.Registry.getXML());
 
             window.setTimeout(function(){