Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nextcloud/server.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrank Karlitschek <karlitschek@kde.org>2012-04-27 01:17:46 +0400
committerFrank Karlitschek <karlitschek@kde.org>2012-04-27 01:17:46 +0400
commit74b5e22a684c3095dbd48b56da1a10d955c20305 (patch)
treef4b350ac022cfe4e8935b7910470dcfbbd7a0ec5
parentd96e962fc1f5df7efec5266d34735ebcdc20b056 (diff)
some more csrf fixes
Diffstat
-rw-r--r--core/templates/login.php1
-rw-r--r--index.php14
-rw-r--r--lib/util.php3
3 files changed, 11 insertions, 7 deletions
diff --git a/core/templates/login.php b/core/templates/login.php
index 4ba92221a7d..4035dfe8a5a 100644
--- a/core/templates/login.php
+++ b/core/templates/login.php
@@ -12,6 +12,7 @@
<p class="infield">
<label for="password" class="infield"><?php echo $l->t( 'Password' ); ?></label>
<input type="password" name="password" id="password" value="" required <?php echo !empty($_POST['user'])?'autofocus':''; ?> />
+ <input type="hidden" name="sectoken" id="sectoken" value="<?php echo($_['sectoken']); ?>" />
</p>
<input type="checkbox" name="remember_login" value="1" id="remember_login" /><label for="remember_login"><?php echo $l->t('remember'); ?></label>
<input type="submit" id="submit" class="login" value="<?php echo $l->t( 'Log in' ); ?>" />
diff --git a/index.php b/index.php
index b4cac1879c6..9fff459807e 100644
--- a/index.php
+++ b/index.php
@@ -59,10 +59,9 @@ elseif(OC_User::isLoggedIn()) {
else {
OC_Util::redirectToDefaultPage();
}
-}
// For all others cases, we display the guest page :
-else {
+} else {
OC_App::loadApps();
$error = false;
@@ -80,10 +79,9 @@ else {
else {
OC_User::unsetMagicInCookie();
}
- }
// Someone wants to log in :
- elseif(isset($_POST["user"]) && isset($_POST['password'])) {
+ } elseif(isset($_POST["user"]) and isset($_POST['password']) and isset($_SESSION['sectoken']) and isset($_POST['sectoken']) and ($_SESSION['sectoken']==$_POST['sectoken']) ) {
if(OC_User::login($_POST["user"], $_POST["password"])) {
if(!empty($_POST["remember_login"])){
if(defined("DEBUG") && DEBUG) {
@@ -100,9 +98,9 @@ else {
} else {
$error = true;
}
- }
+
// The user is already authenticated using Apaches AuthType Basic... very usable in combination with LDAP
- elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){
+ } elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){
if (OC_User::login($_SERVER["PHP_AUTH_USER"],$_SERVER["PHP_AUTH_PW"])) {
//OC_Log::write('core',"Logged in with HTTP Authentication",OC_Log::DEBUG);
OC_User::unsetMagicInCookie();
@@ -111,5 +109,7 @@ else {
$error = true;
}
}
- OC_Template::printGuestPage('', 'login', array('error' => $error, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' ));
+ $sectoken=rand(1000000,9999999);
+ $_SESSION['sectoken']=$sectoken;
+ OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' ));
}
diff --git a/lib/util.php b/lib/util.php
index ec70fd91cb5..29d0691a63d 100644
--- a/lib/util.php
+++ b/lib/util.php
@@ -253,6 +253,9 @@ class OC_Util {
} else {
$parameters["username"] = '';
}
+ $sectoken=rand(1000000,9999999);
+ $_SESSION['sectoken']=$sectoken;
+ $parameters["sectoken"] = $sectoken;
OC_Template::printGuestPage("", "login", $parameters);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-25 09:51:22 +0300