github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-07-06 13:01:56 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update secure_login.php

Browse source
This commit is contained in:
myvesta 2021-08-29 14:05:15 +02:00 committed by GitHub
parent 8a5469abcd
commit 7c9da855e8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
web/inc/secure_login.php
View file

@ -74,7 +74,7 @@ function prevent_post_csrf ($hard_check=false) {
$level = 1; $level = 1;
if ($hard_check == true) $level = 2; if ($hard_check == true) $level = 2;
if ($_SERVER['HTTP_ORIGIN'] != $expected_http_origin) { if ($_SERVER['HTTP_ORIGIN'] != $expected_http_origin) {
die ("CSRF detected (".$level.").<br />Your browser sent HTTP_ORIGIN with value: <b>".$_SERVER['HTTP_ORIGIN']."</b><br />myVesta expected HTTP_ORIGIN with value: <b>".$expected_http_origin."</b><br />Probably some browser extension is blocking it... disable all browser extensions and try again (or try to login with other browser).<br />If you are system administrator of this server, you can disable CSRF check by doing (as root, in SSH): <b>mkdir /usr/local/vesta/conf_web && touch /usr/local/vesta/conf_web/dont_check_csrf</b><br >(but we don't recommend it)<br />If you are not system administrator of this server and you can't access the hosting panel even you disabled all browser extensions, please copy-paste this message to the system administrator of this server.<br />Once again, before you disable CSRF check, try to disable all browser extensions or try to login with other browser."); die ("CSRF detected (".$level.").<br />Your browser sent HTTP_ORIGIN with value: <b>".$_SERVER['HTTP_ORIGIN']."</b><br />myVesta expected HTTP_ORIGIN with value: <b>".$expected_http_origin."</b><br />Probably some browser extension is blocking it... disable all browser extensions and try again (or try to login with other browser).<br />If you are system administrator of this server, you can disable CSRF check by doing (as root, in SSH): <b>mkdir -p /usr/local/vesta/conf_web && touch /usr/local/vesta/conf_web/dont_check_csrf</b><br >(but we don't recommend it)<br />If you are not system administrator of this server and you can't access the hosting panel even you disabled all browser extensions, please copy-paste this message to the system administrator of this server.<br />Once again, before you disable CSRF check, try to disable all browser extensions or try to login with other browser.");
} }
} }
} }
@ -98,7 +98,7 @@ function prevent_get_csrf () {
$expected_http_referer = "https://".$hostname.":".$port; $expected_http_referer = "https://".$hostname.":".$port;
$expected_http_referer_length = strlen($expected_http_referer); $expected_http_referer_length = strlen($expected_http_referer);
if (substr($_SERVER['HTTP_REFERER'], 0, $expected_http_referer_length) != $expected_http_referer) { if (substr($_SERVER['HTTP_REFERER'], 0, $expected_http_referer_length) != $expected_http_referer) {
die ("You clicked on someone's link from other site.<br />This is just a protection layer to prevent potentially dangerous clicks, so if it was your link - you can <a href=\"".$expected_http_referer.$_SERVER['REQUEST_URI']."\"><b>proceed safely to your hosting panel</b></a>.<br /><br />Technical details:<br />Your browser sent HTTP_REFERER with value: <b>".$_SERVER['HTTP_REFERER']."</b><br />myVesta expected HTTP_REFERER to begin with value: <b>".$expected_http_referer."</b><br />If you got this error during casual work in your hosting panel, probably some browser extension is blocking HTTP_REFERER... disable all browser extensions and try again (or try to login with other browser).<br />If you are system administrator of this server, you can disable CSRF check by doing (as root, in SSH): <b>mkdir /usr/local/vesta/conf_web && touch /usr/local/vesta/conf_web/dont_check_csrf</b><br >(but we don't recommend it)<br />If you are not system administrator of this server and you can't access the hosting panel even you clicked \"<b>proceed safely to your hosting panel</b>\" and disabled all browser extensions or changed the browser, please copy-paste this message to the system administrator of this server.<br />Once again, before you disable CSRF check, try to click \"<b>proceed safely to your hosting panel</b>\", and if that does not help then try to disable all browser extensions or try to login with other browser."); die ("You clicked on someone's link from other site.<br />This is just a protection layer to prevent potentially dangerous clicks, so if it was your link - you can <a href=\"".$expected_http_referer.$_SERVER['REQUEST_URI']."\"><b>proceed safely to your hosting panel</b></a>.<br /><br />Technical details:<br />Your browser sent HTTP_REFERER with value: <b>".$_SERVER['HTTP_REFERER']."</b><br />myVesta expected HTTP_REFERER to begin with value: <b>".$expected_http_referer."</b><br />If you got this error during casual work in your hosting panel, probably some browser extension is blocking HTTP_REFERER... disable all browser extensions and try again (or try to login with other browser).<br />If you are system administrator of this server, you can disable CSRF check by doing (as root, in SSH): <b>mkdir -p /usr/local/vesta/conf_web && touch /usr/local/vesta/conf_web/dont_check_csrf</b><br >(but we don't recommend it)<br />If you are not system administrator of this server and you can't access the hosting panel even you clicked \"<b>proceed safely to your hosting panel</b>\" and disabled all browser extensions or changed the browser, please copy-paste this message to the system administrator of this server.<br />Once again, before you disable CSRF check, try to click \"<b>proceed safely to your hosting panel</b>\", and if that does not help then try to disable all browser extensions or try to login with other browser.");
} }
} }