Mirrors
/
nextcloud-server
mirror of https://github.com/nextcloud/server
3
0
Fork 0
Code Releases Activity
Browse Source

some more csrf fixes

remotes/origin/stable4
Frank Karlitschek 14 years ago
parent
d96e962fc1
commit
74b5e22a68
3 changed files with 11 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      core/templates/login.php
  2. 14
      index.php
  3. 3
      lib/util.php

1
core/templates/login.php
View File

@ -12,6 +12,7 @@
<p class="infield">
<label for="password" class="infield"><?php echo $l->t( 'Password' ); ?></label>
<input type="password" name="password" id="password" value="" required <?php echo !empty($_POST['user'])?'autofocus':''; ?> />
<input type="hidden" name="sectoken" id="sectoken" value="<?php echo($_['sectoken']); ?>" />
</p>
<input type="checkbox" name="remember_login" value="1" id="remember_login" /><label for="remember_login"><?php echo $l->t('remember'); ?></label>
<input type="submit" id="submit" class="login" value="<?php echo $l->t( 'Log in' ); ?>" />

14
index.php
View File

@ -59,10 +59,9 @@ elseif(OC_User::isLoggedIn()) {
else {
OC_Util::redirectToDefaultPage();
}
}
// For all others cases, we display the guest page :
else {
} else {
OC_App::loadApps();
$error = false;
@ -80,10 +79,9 @@ else {
else {
OC_User::unsetMagicInCookie();
}
}
// Someone wants to log in :
elseif(isset($_POST["user"]) && isset($_POST['password'])) {
} elseif(isset($_POST["user"]) and isset($_POST['password']) and isset($_SESSION['sectoken']) and isset($_POST['sectoken']) and ($_SESSION['sectoken']==$_POST['sectoken']) ) {
if(OC_User::login($_POST["user"], $_POST["password"])) {
if(!empty($_POST["remember_login"])){
if(defined("DEBUG") && DEBUG) {
@ -100,9 +98,9 @@ else {
} else {
$error = true;
}
}
// The user is already authenticated using Apaches AuthType Basic... very usable in combination with LDAP
elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){
} elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){
if (OC_User::login($_SERVER["PHP_AUTH_USER"],$_SERVER["PHP_AUTH_PW"])) {
//OC_Log::write('core',"Logged in with HTTP Authentication",OC_Log::DEBUG);
OC_User::unsetMagicInCookie();
@ -111,5 +109,7 @@ else {
$error = true;
}
}
OC_Template::printGuestPage('', 'login', array('error' => $error, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' ));
$sectoken=rand(1000000,9999999);
$_SESSION['sectoken']=$sectoken;
OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' ));
}

3
lib/util.php
View File

@ -253,6 +253,9 @@ class OC_Util {
} else {
$parameters["username"] = '';
}
$sectoken=rand(1000000,9999999);
$_SESSION['sectoken']=$sectoken;
$parameters["sectoken"] = $sectoken;
OC_Template::printGuestPage("", "login", $parameters);
}

Write Preview
Loading…
Cancel
Save