diff options
author | Peter Zhang <peter@innocraft.com> | 2021-10-13 03:54:31 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-13 03:54:31 +0300 |
commit | e4a7b579622da9f585a9e662efc114b08b6fe08d (patch) | |
tree | a865e8af116e2a929a583e91910dce57fb628207 /plugins/Login | |
parent | f1cba6a5f168bdb3faf64e812b44d591d8afce08 (diff) |
More verbose error message when login nonce check fails (#18051)
Diffstat (limited to 'plugins/Login')
-rw-r--r-- | plugins/Login/Controller.php | 51 | ||||
-rw-r--r-- | plugins/Login/lang/en.json | 7 |
2 files changed, 16 insertions, 42 deletions
diff --git a/plugins/Login/Controller.php b/plugins/Login/Controller.php index a1daed412e..b13f3f8231 100644 --- a/plugins/Login/Controller.php +++ b/plugins/Login/Controller.php @@ -133,7 +133,10 @@ class Controller extends \Piwik\Plugin\ControllerAdmin $form = new FormLogin(); if ($form->validate()) { $nonce = $form->getSubmitValue('form_nonce'); - if (Nonce::verifyNonce('Login.login', $nonce)) { + $messageNoAccess = Nonce::verifyNonceWithErrorMessage('Login.login', $nonce, null); + + // validate if there is error message + if ($messageNoAccess === "") { $loginOrEmail = $form->getSubmitValue('form_login'); $login = $this->getLoginFromLoginOrEmail($loginOrEmail); @@ -143,11 +146,9 @@ class Controller extends \Piwik\Plugin\ControllerAdmin } catch (Exception $e) { $messageNoAccess = $e->getMessage(); } - } else { - $messageNoAccess = $this->getMessageExceptionNoAccess(); } } - + if ($messageNoAccess) { http_response_code(403); } @@ -212,8 +213,9 @@ class Controller extends \Piwik\Plugin\ControllerAdmin if ($password) { $password = Common::unsanitizeInputValue($password); } - if (!Nonce::verifyNonce($nonceKey, $nonce)) { - $messageNoAccess = $this->getMessageExceptionNoAccess(); + $errorMessage = Nonce::verifyNonceWithErrorMessage($nonceKey, $nonce); + if ($errorMessage !== "") { + $messageNoAccess = $errorMessage; } elseif ($this->passwordVerify->isPasswordCorrect(Piwik::getCurrentUserLogin(), $password)) { $this->passwordVerify->setPasswordVerifiedCorrectly(); return; @@ -349,38 +351,6 @@ class Controller extends \Piwik\Plugin\ControllerAdmin Url::redirectToUrl($urlToRedirect); } - protected function getMessageExceptionNoAccess() - { - $message = Piwik::translate('Login_InvalidNonceOrHeadersOrReferrer', array('<a target="_blank" rel="noreferrer noopener" href="https://matomo.org/faq/how-to-install/#faq_98">', '</a>')); - - $message .= $this->getMessageExceptionNoAccessWhenInsecureConnectionMayBeUsed(); - - return $message; - } - - /** - * The Session cookie is set to a secure cookie, when SSL is mis-configured, it can cause the PHP session cookie ID to change on each page view. - * Indicate to user how to solve this particular use case by forcing secure connections. - * - * @return string - */ - protected function getMessageExceptionNoAccessWhenInsecureConnectionMayBeUsed() - { - $message = ''; - if(Url::isSecureConnectionAssumedByPiwikButNotForcedYet()) { - $message = '<br/><br/>' . Piwik::translate('Login_InvalidNonceSSLMisconfigured', - array( - '<a target="_blank" rel="noreferrer noopener" href="https://matomo.org/faq/how-to/faq_91/">', - '</a>', - 'config/config.ini.php', - '<pre>force_ssl=1</pre>', - '<pre>[General]</pre>', - ) - ); - } - return $message; - } - /** * Reset password action. Stores new password as hash and sends email * to confirm use. @@ -394,13 +364,14 @@ class Controller extends \Piwik\Plugin\ControllerAdmin $form = new FormResetPassword(); if ($form->validate()) { $nonce = $form->getSubmitValue('form_nonce'); - if (Nonce::verifyNonce('Login.login', $nonce)) { + $errorMessage = Nonce::verifyNonceWithErrorMessage('Login.login', $nonce); + if ($errorMessage === "") { $formErrors = $this->resetPasswordFirstStep($form); if (empty($formErrors)) { $infoMessage = Piwik::translate('Login_ConfirmationLinkSent'); } } else { - $formErrors = array($this->getMessageExceptionNoAccess()); + $formErrors = array($errorMessage); } } else { // if invalid, display error diff --git a/plugins/Login/lang/en.json b/plugins/Login/lang/en.json index 92597b4a0c..361c2c1b77 100644 --- a/plugins/Login/lang/en.json +++ b/plugins/Login/lang/en.json @@ -5,7 +5,10 @@ "ContactAdmin": "Possible reason: your host may have disabled the mail() function. <br \/>Please contact your Matomo administrator.", "ExceptionInvalidSuperUserAccessAuthenticationMethod": "A user with Super User access cannot be authenticated using the '%s' mechanism.", "ExceptionPasswordMD5HashExpected": "The password parameter is expected to be a MD5 hash of the password.", - "InvalidNonceOrHeadersOrReferrer": "Form security failed. Please reload the form and check that your cookies are enabled. If you use a proxy server, you must %1$s configure Matomo to accept the proxy header%2$s that forwards the Host header. Also, check that your Referrer header is sent correctly.", + "InvalidNonceToken": "Form security failed, token miss match. Please reload the form and check that your cookies are enabled.", + "InvalidNonceReferrer": "Form security failed, invalid referrer header. If you use a proxy server, you must %1$s configure Matomo to accept the proxy header %2$s that forwards the Host header. Also, check that your Referrer header is sent correctly and If you previously connected using https, please ensure you are connecting over a secure (SSL/TLS) connection and try again.", + "InvalidNonceUnexpectedReferrer" : "Form security failed, the referrer header is different from the expected referrer header, check that your Referrer header is sent correctly.", + "InvalidNonceOrigin": "Form security failed, invalid origin. If you previously connected using https, please ensure you are connecting over a secure (SSL/TLS) connection and try again.", "InvalidNonceSSLMisconfigured": "Also, you may %1$s force Matomo to use a secure connection%2$s: in your config file %3$s set %4$s below section %5$s", "InvalidOrExpiredToken": "Token is invalid or has expired.", "InvalidUsernameEmail": "Invalid username or e-mail address.", @@ -53,4 +56,4 @@ "SuspiciousLoginAttemptsInLastHourEmail5": "Additionally, if your Matomo has a limited set of users or IPs through which users will access it, it may be beneficial to setup a IP address allowlist. %1$sRead our docs for more information.%2$s", "LoginNotAllowedBecauseUserLoginBlocked": "Login functionality is temporarily disabled since we've a suspicious amount of failed login attempts in the last hour." } -}
\ No newline at end of file +} |