github/vesta
1
0
Fork 0
mirror of https://github.com/serghey-rodin/vesta.git synced 2025-08-21 22:04:00 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #1 from serghey-rodin/master

Browse source 
Update fork
This commit is contained in:
Arinerron 2017-03-01 19:43:30 -08:00 committed by GitHub
commit 19ea994e56
2 changed files with 59 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

9
web/login/index.php
View file

@ -34,6 +34,7 @@ if (isset($_SESSION['user'])) {
// Basic auth // Basic auth
if (isset($_POST['user']) && isset($_POST['password'])) { if (isset($_POST['user']) && isset($_POST['password'])) {
if(isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']) {
$v_user = escapeshellarg($_POST['user']); $v_user = escapeshellarg($_POST['user']);
// Send password via tmp file // Send password via tmp file
@ -80,6 +81,8 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
$_SESSION['language'] = 'en'; $_SESSION['language'] = 'en';
} }
// Regenerate session id to prevent session fixation
session_regenerate_id();
// Redirect request to control panel interface // Redirect request to control panel interface
if (!empty($_SESSION['request_uri'])) { if (!empty($_SESSION['request_uri'])) {
@ -91,6 +94,9 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
exit; exit;
} }
} }
} else {
$ERROR = "<a class=\"error\">".__('Invalid or missing token')."</a>";
}
} }
// Check system configuration // Check system configuration
@ -119,6 +125,9 @@ if (empty($_SESSION['language'])) {
} }
} }
// Generate CSRF token
$_SESSION['token'] = md5(uniqid(mt_rand(), true));
require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php'); require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');
require_once('../templates/header.html'); require_once('../templates/header.html');
require_once('../templates/login.html'); require_once('../templates/login.html');

1
web/templates/login.html
View file

@ -9,6 +9,7 @@
</td> </td>
<td style="padding: 20px 0 0 0;"> <td style="padding: 20px 0 0 0;">
<form method="post" action="/login/" > <form method="post" action="/login/" >
<input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">
<table class="login-box"> <table class="login-box">
<tr> <tr>
<td syle="padding: 12px 0 0 2px;"> <td syle="padding: 12px 0 0 2px;">