From 7d5990bf0fff79411d9e783cb5182705d367f5cc Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Wed, 18 May 2022 10:03:10 +0200
Subject: [PATCH] restrict webauthn-tfa-get-args sql query

---
 data/web/json_api.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/data/web/json_api.php b/data/web/json_api.php
index 53e47af68..2c8f13fb6 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -452,8 +452,11 @@ if (isset($_GET['query'])) {
           }
         break;
         case "webauthn-tfa-get-args":
-          $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username AND authmech = `webauthn`");
-          $stmt->execute(array(':username' => $_SESSION['pending_mailcow_cc_username']));
+          $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username AND authmech = :authmech");
+          $stmt->execute(array(
+            ':username' => $_SESSION['pending_mailcow_cc_username'],
+            ':authmech' => 'webauthn'
+          ));
           $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
           if (count($rows) == 0) {
             print(json_encode(array(