From d2087a8c719f32b3b0e70bf22ef3cd1716f03671 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 3 Jul 2023 18:01:32 +0200
Subject: [remoteaccess] Make sure we get the right client when updating pw

When a client sends its current VNC password, we look up the client's
uuid via the remote IP address. This would return any random client that
last had this IP address when it booted. This is mostly not a problem
with clients that have a static assignment, but can easily go wrong with
clients in dynamic pools, as it's likely we have a few entries with the
same address in the DB.
We now get the client that was seen active most recently, which–unless
we have address collisions–should always be the proper one.
---
 modules-available/remoteaccess/api.inc.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules-available/remoteaccess/api.inc.php b/modules-available/remoteaccess/api.inc.php
index 859f5cfe..ec5fe7ad 100644
--- a/modules-available/remoteaccess/api.inc.php
+++ b/modules-available/remoteaccess/api.inc.php
@@ -5,7 +5,10 @@ if (substr($ip, 0, 7) === '::ffff:') $ip = substr($ip, 7);
 
 $password = Request::post('password', false, 'string');
 if ($password !== false) {
-	$c = Database::queryFirst("SELECT machineuuid FROM machine WHERE clientip = :ip", ['ip' => $ip]);
+	$c = Database::queryFirst("SELECT machineuuid FROM machine
+                   WHERE clientip = :ip
+                   ORDER BY lastseen DESC
+                   LIMIT 1", ['ip' => $ip]);
 	if ($c !== false) {
 		$vncport = Request::post('vncport', 5900, 'int');
 		Database::exec("INSERT INTO remoteaccess_machine (machineuuid, password, vncport)
-- 
cgit v1.2.3-55-g7522