mirror of
https://github.com/myvesta/vesta
synced 2025-08-14 10:37:42 -07:00
More logical check expression in secure_login.php
This commit is contained in:
myvesta
GitHub
parent
b8963d5b2d
commit
0686c6d5f6
1 changed files with 19 additions and 19 deletions
|
|
@ -1,38 +1,38 @@
|
|||
<?php
|
||||
|
||||
$skip_login_url_check=0;
|
||||
$secure_gate_check=true;
|
||||
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/inc/mail-wrapper.php') $skip_login_url_check=1; // it can be executed only from cli
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/inc/mail-wrapper.php') $secure_gate_check=false; // it can be executed only from cli
|
||||
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/reset/mail/index.php') $skip_login_url_check=1; // it's accessible only from localhost
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web//reset/mail/index.php') $skip_login_url_check=1;
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/reset/mail/index.php') $secure_gate_check=false; // it's accessible only from localhost
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web//reset/mail/index.php') $secure_gate_check=false;
|
||||
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/api/index.php') $skip_login_url_check=1; // api has its own security check
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web//api/index.php') $skip_login_url_check=1;
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/api/index.php') $secure_gate_check=false; // api has its own security check
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web//api/index.php') $secure_gate_check=false;
|
||||
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/reset/mail/set-ar.php') $skip_login_url_check=1; // commercial addon for changing auto-reply from Roundcube, not included in this fork, also accessible only from localhost
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web//reset/mail/set-ar.php') $skip_login_url_check=1;
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/reset/mail/get-ar.php') $skip_login_url_check=1;
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web//reset/mail/get-ar.php') $skip_login_url_check=1;
|
||||
if (substr($_SERVER['SCRIPT_FILENAME'], 0, 28)=='/usr/local/vesta/web/custom/') $skip_login_url_check=1; // custom scripts like git webhooks
|
||||
if (substr($_SERVER['SCRIPT_FILENAME'], 0, 29)=='/usr/local/vesta/web//custom/') $skip_login_url_check=1;
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/reset/mail/set-ar.php') $secure_gate_check=false; // commercial addon for changing auto-reply from Roundcube, not included in this fork, also accessible only from localhost
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web//reset/mail/set-ar.php') $secure_gate_check=false;
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web/reset/mail/get-ar.php') $secure_gate_check=false;
|
||||
if ($_SERVER['SCRIPT_FILENAME']=='/usr/local/vesta/web//reset/mail/get-ar.php') $secure_gate_check=false;
|
||||
if (substr($_SERVER['SCRIPT_FILENAME'], 0, 28)=='/usr/local/vesta/web/custom/') $secure_gate_check=false; // custom scripts like git webhooks
|
||||
if (substr($_SERVER['SCRIPT_FILENAME'], 0, 29)=='/usr/local/vesta/web//custom/') $secure_gate_check=false;
|
||||
|
||||
if (substr($_SERVER['SCRIPT_FILENAME'], 0, 21)=='/usr/local/vesta/bin/') $skip_login_url_check=1; // allow executing v-* PHP scripts from bash
|
||||
if (substr($_SERVER['SCRIPT_FILENAME'], 0, 29)=='/usr/local/vesta/softaculous/') $skip_login_url_check=1; // allow softaculous
|
||||
if (substr($_SERVER['SCRIPT_FILENAME'], 0, 33)=='/usr/local/vesta/web/softaculous/') $skip_login_url_check=1; // allow softaculous
|
||||
if (substr($_SERVER['SCRIPT_FILENAME'], 0, 34)=='/usr/local/vesta/web//softaculous/') $skip_login_url_check=1; // allow softaculous
|
||||
if (substr($_SERVER['SCRIPT_FILENAME'], 0, 21)=='/usr/local/vesta/bin/') $secure_gate_check=false; // allow executing v-* PHP scripts from bash
|
||||
if (substr($_SERVER['SCRIPT_FILENAME'], 0, 29)=='/usr/local/vesta/softaculous/') $secure_gate_check=false; // allow softaculous
|
||||
if (substr($_SERVER['SCRIPT_FILENAME'], 0, 33)=='/usr/local/vesta/web/softaculous/') $secure_gate_check=false; // allow softaculous
|
||||
if (substr($_SERVER['SCRIPT_FILENAME'], 0, 34)=='/usr/local/vesta/web//softaculous/') $secure_gate_check=false; // allow softaculous
|
||||
|
||||
$check_file="/usr/local/vesta/conf_web/allow_ip_for_secret_url.conf";
|
||||
if (file_exists($check_file)) {
|
||||
$file_content=file($check_file);
|
||||
if (is_array($file_content)) {
|
||||
foreach ($file_content as $line) {
|
||||
if (trim($line) == $_SERVER['REMOTE_ADDR']) {$skip_login_url_check=1; break;}
|
||||
if (trim($line) == $_SERVER['REMOTE_ADDR']) {$secure_gate_check=false; break;}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($skip_login_url_check==0) {
|
||||
if ($secure_gate_check==true) {
|
||||
if (!isset($login_url_loaded)) {
|
||||
$login_url_loaded=1;
|
||||
if (file_exists('/usr/local/vesta/web/inc/login_url.php')) {
|
||||
|
|
@ -51,7 +51,7 @@ if ($skip_login_url_check==0) {
|
|||
}
|
||||
|
||||
// Preventing all CSRF
|
||||
if ($skip_login_url_check==0) {
|
||||
if ($secure_gate_check==true) {
|
||||
if ($_SERVER['REQUEST_METHOD']=='POST') {
|
||||
$host_arr=explode(":", $_SERVER['HTTP_HOST']);
|
||||
$hostname=$host_arr[0];
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue