Allow a bit larger clock deviation on Ampache handshake

In the Ampache handshake, it was previously checked that the timestamp supplied by the client in not more than 100 seconds ahead of the system time of the server. In case the client is using its own system clock to create the timestamp and the client and/or the server does not synchronize its time from the network, it could quite easily happen that the local times of client and server differ by more than 100 seconds. The handshake failed in such cases. Now we allow the the timestamps to differ at maximum by 10 minutes. That shouldn't compromise the security in any significant manner but will make the handshake more robust against small clock deviations. refs #60
owncloud · Sep 8, 2018 · cb28c00 · cb28c00
1 parent 7affc23
commit cb28c00
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/controller/ampachecontroller.php b/controller/ampachecontroller.php
@@ -173,8 +173,9 @@ protected function handshake($user, $timestamp, $auth) {
 		if ($providedTime < ($currentTime - self::SESSION_EXPIRY_TIME)) {
 			throw new AmpacheException('Invalid Login - session is outdated', 401);
 		}
-		// TODO - while testing with tomahawk it sometimes is $currenttime+1 ... needs further investigation
-		if ($providedTime > $currentTime + 100) {
+		// Allow the timestamp to be at maximum 10 minutes in the future. The client may use its
+		// own system clock to generate the timestamp and that may differ from the server's time.
+		if ($providedTime > $currentTime + 600) {
 			throw new AmpacheException('Invalid Login - timestamp is in future', 401);
 		}