github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-20 21:34:12 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update secure_login.php

Browse source
This commit is contained in:
myvesta 2021-08-29 11:09:24 +02:00 committed by GitHub
commit 49905063f6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
web/inc/secure_login.php
View file

@ -54,18 +54,18 @@ function prevent_post_csrf ($hard_check=false) {
if (file_exists('/usr/local/vesta/conf_web/dont_check_csrf')) return; if (file_exists('/usr/local/vesta/conf_web/dont_check_csrf')) return;
if ($_SERVER['REQUEST_METHOD']=='POST') { if ($_SERVER['REQUEST_METHOD']=='POST') {
if ($hard_check == false) { if ($hard_check == false) {
if (isset($_SERVER['HTTP_ORIGIN']) == false) return;
if (isset($_SERVER['HTTP_HOST']) == false) return; if (isset($_SERVER['HTTP_HOST']) == false) return;
if (isset($_SERVER['SERVER_PORT']) == false) return; if (isset($_SERVER['SERVER_PORT']) == false) return;
if (isset($_SERVER['HTTP_ORIGIN']) == false) return;
} else { } else {
if (isset($_SERVER['HTTP_ORIGIN']) == false) $_SERVER['HTTP_ORIGIN'] = '';
if (isset($_SERVER['HTTP_HOST']) == false) $_SERVER['HTTP_HOST'] = ''; if (isset($_SERVER['HTTP_HOST']) == false) $_SERVER['HTTP_HOST'] = '';
if (isset($_SERVER['SERVER_PORT']) == false) $_SERVER['HTTP_PORT'] = ''; if (isset($_SERVER['SERVER_PORT']) == false) $_SERVER['HTTP_PORT'] = '';
if (isset($_SERVER['HTTP_ORIGIN']) == false) $_SERVER['HTTP_ORIGIN'] = '';
} }
$_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']); $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);
$_SERVER['HTTP_ORIGIN'] = strtolower($_SERVER['HTTP_ORIGIN']); $_SERVER['HTTP_ORIGIN'] = strtolower($_SERVER['HTTP_ORIGIN']);
if ($hard_check == false) { if ($hard_check == false) {
if (substr($_SERVER['HTTP_ORIGIN'], 0,7) != "http://" && substr($_SERVER['HTTP_ORIGIN'], 0,8)!="https://") return; if (substr($_SERVER['HTTP_ORIGIN'], 0, 8) != "file:///" && substr($_SERVER['HTTP_ORIGIN'], 0, 7) != "http://" && substr($_SERVER['HTTP_ORIGIN'], 0, 8) != "https://") return;
} }
$host_arr = explode(":", $_SERVER['HTTP_HOST']); $host_arr = explode(":", $_SERVER['HTTP_HOST']);
$hostname = $host_arr[0]; $hostname = $host_arr[0];