github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-19 13:01:52 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix for "Broken or Risky Cryptographic Algorithm"

Browse source
This commit is contained in:
myvesta 2021-08-14 22:36:07 +02:00
commit df11eaf33f
2 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
web/inc/main.php
View file

@ -66,9 +66,10 @@ if ((!isset($_SESSION['user'])) && (!defined('NO_AUTH_REQUIRED'))) {
exit;
}
// Generate CSRF Token
if (isset($_SESSION['user'])) {
if(!isset($_SESSION['token'])){
$token = uniqid(mt_rand(), true);
if (!isset($_SESSION['token'])){
$token = bin2hex(file_get_contents('/dev/urandom', false, null, 0, 16));
$_SESSION['token'] = $token;
}
}

5
web/login/index.php
View file

@ -112,7 +112,7 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
}
// Regenerate session id to prevent session fixation
session_regenerate_id();
session_regenerate_id(true);
// Redirect request to control panel interface
if (!empty($_SESSION['request_uri'])) {
@ -158,7 +158,8 @@ if (empty($_SESSION['language'])) {
}
// Generate CSRF token
$_SESSION['token'] = md5(uniqid(mt_rand(), true));
$token = bin2hex(file_get_contents('/dev/urandom', false, null, 0, 16));
$_SESSION['token'] = $token;
require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');
require_once('../templates/header.html');