github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-20 13:24:25 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

CSRF

Browse source
This commit is contained in:
Made I.T 2017-02-28 09:01:30 +01:00 committed by GitHub
commit 9623be0708
1 changed files with 58 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

7
web/login/index.php
View file

@ -34,6 +34,7 @@ if (isset($_SESSION['user'])) {
// Basic auth // Basic auth
if (isset($_POST['user']) && isset($_POST['password'])) { if (isset($_POST['user']) && isset($_POST['password'])) {
if(isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']) {
$v_user = escapeshellarg($_POST['user']); $v_user = escapeshellarg($_POST['user']);
// Send password via tmp file // Send password via tmp file
@ -93,6 +94,9 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
exit; exit;
} }
} }
} else {
$ERROR = "<a class=\"error\">".__('Invalid or missing token')."</a>";
}
} }
// Check system configuration // Check system configuration
@ -121,6 +125,9 @@ if (empty($_SESSION['language'])) {
} }
} }
// Generate CSRF token
$_SESSION['token'] = md5(uniqid(mt_rand(), true));
require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php'); require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');
require_once('../templates/header.html'); require_once('../templates/header.html');
require_once('../templates/login.html'); require_once('../templates/login.html');