From 49905063f634e5d95585664f227520512a324605 Mon Sep 17 00:00:00 2001
From: myvesta <38690722+myvesta@users.noreply.github.com>
Date: Sun, 29 Aug 2021 11:09:24 +0200
Subject: [PATCH] Update secure_login.php

---
 web/inc/secure_login.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/web/inc/secure_login.php b/web/inc/secure_login.php
index b55d8e31..f9452cc3 100644
--- a/web/inc/secure_login.php
+++ b/web/inc/secure_login.php
@@ -54,18 +54,18 @@ function prevent_post_csrf ($hard_check=false) {
     if (file_exists('/usr/local/vesta/conf_web/dont_check_csrf')) return; 
     if ($_SERVER['REQUEST_METHOD']=='POST') {
         if ($hard_check == false) {
-            if (isset($_SERVER['HTTP_ORIGIN']) == false) return;
             if (isset($_SERVER['HTTP_HOST']) == false) return;
             if (isset($_SERVER['SERVER_PORT']) == false) return;
+            if (isset($_SERVER['HTTP_ORIGIN']) == false) return;
         } else {
-            if (isset($_SERVER['HTTP_ORIGIN']) == false) $_SERVER['HTTP_ORIGIN'] = '';
             if (isset($_SERVER['HTTP_HOST']) == false) $_SERVER['HTTP_HOST'] = '';
             if (isset($_SERVER['SERVER_PORT']) == false) $_SERVER['HTTP_PORT'] = '';
+            if (isset($_SERVER['HTTP_ORIGIN']) == false) $_SERVER['HTTP_ORIGIN'] = '';
         }
         $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);
         $_SERVER['HTTP_ORIGIN'] = strtolower($_SERVER['HTTP_ORIGIN']);
         if ($hard_check == false) {
-            if (substr($_SERVER['HTTP_ORIGIN'], 0,7) != "http://" && substr($_SERVER['HTTP_ORIGIN'], 0,8)!="https://") return;
+            if (substr($_SERVER['HTTP_ORIGIN'], 0, 8) != "file:///" && substr($_SERVER['HTTP_ORIGIN'], 0, 7) != "http://" && substr($_SERVER['HTTP_ORIGIN'], 0, 8) != "https://") return;
         }
         $host_arr = explode(":", $_SERVER['HTTP_HOST']);
         $hostname = $host_arr[0];