[remoteaccess] Make sure we get the right client when updating pw

When a client sends its current VNC password, we look up the client's
uuid via the remote IP address. This would return any random client that
last had this IP address when it booted. This is mostly not a problem
with clients that have a static assignment, but can easily go wrong with
clients in dynamic pools, as it's likely we have a few entries with the
same address in the DB.
We now get the client that was seen active most recently, which–unless
we have address collisions–should always be the proper one.

1 files changed, 4 insertions, 1 deletions

diff --git a/modules-available/remoteaccess/api.inc.php b/modules-available/remoteaccess/api.inc.php
index 859f5cfe..ec5fe7ad 100644
--- a/modules-available/remoteaccess/api.inc.php
+++ b/modules-available/remoteaccess/api.inc.php
@@ -5,7 +5,10 @@ if (substr($ip, 0, 7) === '::ffff:') $ip = substr($ip, 7);
 
 $password = Request::post('password', false, 'string');
 if ($password !== false) {
-	$c = Database::queryFirst("SELECT machineuuid FROM machine WHERE clientip = :ip", ['ip' => $ip]);
+	$c = Database::queryFirst("SELECT machineuuid FROM machine
+                   WHERE clientip = :ip
+                   ORDER BY lastseen DESC
+                   LIMIT 1", ['ip' => $ip]);
 	if ($c !== false) {
 		$vncport = Request::post('vncport', 5900, 'int');
 		Database::exec("INSERT INTO remoteaccess_machine (machineuuid, password, vncport)