diegods/homelabdspbx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security: Add CSRF tokens to login form (#7968)

Browse Source 
* Security: Add anti-CSRF tokens to login form

* Update database.php

* Update email.php

* Update totp.php

* Update email.htm

* Update login.htm

* Update totp_secret.htm

* Update totp.htm

* Update username.htm
This commit is contained in:
Alex
2026-05-12 20:19:40 +00:00
committed by GitHub
parent 7bf33e8668
commit cc0d528cff
8 changed files with 72 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
core/authentication/resources/classes/plugins/database.php
+14 -14
View File
@@ -55,6 +55,10 @@ class plugin_database {
*/
function database(authentication $auth, settings $settings) {
//add multi-lingual support
$language = new text;
$text = $language->get(null, '/core/authentication');
//pre-process some settings
$theme_favicon = $settings->get('theme', 'favicon', PROJECT_PATH . '/themes/default/favicon.ico');
$theme_logo = $settings->get('theme', 'logo', PROJECT_PATH . '/themes/default/images/logo_login.png');
@@ -97,12 +101,8 @@ class plugin_database {
$domain_name = $domain_array[0];
//create token
//$object = new token;
//$token = $object->create('login');
//add multi-lingual support
$language = new text;
$text = $language->get(null, '/core/authentication');
$object = new token;
$token = $object->create('login');
//initialize a template object
$view = new template();
@@ -164,8 +164,8 @@ class plugin_database {
$view->assign('messages', message::html(true, ' '));
//add the token name and hash to the view
//$view->assign("token_name", $token['name']);
//$view->assign("token_hash", $token['hash']);
$view->assign("token_name", $token['name']);
$view->assign("token_hash", $token['hash']);
//show the views
$content = $view->render('login.htm');
@@ -174,12 +174,12 @@ class plugin_database {
}
//validate the token
//$token = new token;
//if (!$token->validate($_SERVER['PHP_SELF'])) {
// message::add($text['message-invalid_token'],'negative');
// header('Location: domains.php');
// exit;
//}
$token = new token;
if (!$token->validate('login')) {
message::add($text['message-invalid_token'],'negative');
header('Location: login.php');
exit;
}
//add the authentication details
if (isset($_REQUEST["username"])) {
core/authentication/resources/classes/plugins/email.php
+27 -9
View File
@@ -65,6 +65,20 @@ class plugin_email {
*/
function email(authentication $auth, settings $settings) {
//add multi-lingual support
$language = new text;
$text = $language->get(null, '/core/authentication');
//validate the token
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$token = new token;
if (!$token->validate('login')) {
message::add($text['message-invalid_token'], 'negative');
header('Location: login.php');
exit;
}
}
//pre-process some settings
$theme_favicon = $settings->get('theme', 'favicon', PROJECT_PATH . '/themes/default/favicon.ico');
$theme_logo = $settings->get('theme', 'logo', PROJECT_PATH . '/themes/default/images/logo_login.png');
@@ -98,9 +112,9 @@ class plugin_email {
//request the username
if (!isset($_POST['username']) && !isset($_POST['authentication_code'])) {
//add multi-lingual support
$language = new text;
$text = $language->get(null, '/core/authentication');
//create token
$object = new token;
$token = $object->create('login');
//initialize a template object
$view = new template();
@@ -127,6 +141,10 @@ class plugin_email {
//messages
$view->assign('messages', message::html(true, ' '));
//add the token name and hash to the view
$view->assign("token_name", $token['name']);
$view->assign("token_hash", $token['hash']);
//show the views
$content = $view->render('username.htm');
echo $content;
@@ -331,12 +349,8 @@ class plugin_email {
$domain_name = $domain_array[0];
//create token
//$object = new token;
//$token = $object->create('login');
//add multi-lingual support
$language = new text;
$text = $language->get(null, '/core/authentication');
$object = new token;
$token = $object->create('login');
//initialize a template object
$view = new template();
@@ -365,6 +379,10 @@ class plugin_email {
//messages
$view->assign('messages', message::html(true, ' '));
//add the token name and hash to the view
$view->assign("token_name", $token['name']);
$view->assign("token_hash", $token['hash']);
//show the views
$content = $view->render('email.htm');
echo $content;
core/authentication/resources/classes/plugins/totp.php
+26 -12
View File
@@ -70,6 +70,20 @@ class plugin_totp {
*/
function totp(authentication $auth, settings $settings) {
//add multi-lingual support
$language = new text;
$text = $language->get(null, '/core/authentication');
//validate the token
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$token = new token;
if (!$token->validate('login')) {
message::add($text['message-invalid_token'], 'negative');
header('Location: login.php');
exit;
}
}
//pre-process some settings
$theme_favicon = $settings->get('theme', 'favicon', PROJECT_PATH . '/themes/default/favicon.ico');
$theme_logo = $settings->get('theme', 'logo', PROJECT_PATH . '/themes/default/images/logo_login.png');
@@ -107,12 +121,8 @@ class plugin_totp {
$domain_name = $domain_array[0];
//create token
//$object = new token;
//$token = $object->create('login');
//add multi-lingual support
$language = new text;
$text = $language->get(null, '/core/authentication');
$object = new token;
$token = $object->create('login');
//initialize a template object
$view = new template();
@@ -139,6 +149,10 @@ class plugin_totp {
//messages
$view->assign('messages', message::html(true, ' '));
//add the token name and hash to the view
$view->assign("token_name", $token['name']);
$view->assign("token_hash", $token['hash']);
//show the views
$content = $view->render('username.htm');
echo $content;
@@ -210,12 +224,8 @@ class plugin_totp {
$domain_name = $domain_array[0];
//create token
//$object = new token;
//$token = $object->create('login');
//add multi-lingual support
$language = new text;
$text = $language->get(null, '/core/authentication');
$object = new token;
$token = $object->create('login');
//initialize a template object
$view = new template();
@@ -241,6 +251,10 @@ class plugin_totp {
$view->assign("button_cancel", $text['button-cancel']);
}
//add the token name and hash to the view
$view->assign("token_name", $token['name']);
$view->assign("token_hash", $token['hash']);
//show the views
if (!empty($_SESSION['authentication']['plugin']['database']['authorized']) && empty($this->user_totp_secret)) {
core/authentication/resources/views/email.htm
+1
View File
@@ -82,6 +82,7 @@
<a class='login_link' href='{$project_path}/logout.php'>{$button_cancel}</a>
{/if}
</div>
<input type='hidden' name='{$token_name}' value='{$token_hash}'>
</form>
</div>
</div>
core/authentication/resources/views/login.htm
+1
View File
@@ -118,6 +118,7 @@
{/foreach}
{/if}
</div>
<input type='hidden' name='{$token_name}' value='{$token_hash}'>
</form>
</div>
</div>
core/authentication/resources/views/totp.htm
+1
View File
@@ -80,6 +80,7 @@
<br /><br />
<a class='login_link' href='{$project_path}/logout.php'>{$button_cancel}</a>
</div>
<input type='hidden' name='{$token_name}' value='{$token_hash}'>
</form>
</div>
</div>
core/authentication/resources/views/totp_secret.htm
+1
View File
@@ -29,6 +29,7 @@
<div>
<input type='submit' name='' class='btn' style='width: 100px; margin-top: 15px;' value='{$button_next}' />
</div>
<input type='hidden' name='{$token_name}' value='{$token_hash}'>
</form>
</div>
</div>
core/authentication/resources/views/username.htm
+1
View File
@@ -82,6 +82,7 @@
<div>
<input type='submit' id='btn_login' class='btn' style='width: 100px; margin-top: 15px;' value='{$button_login}' />
</div>
<input type='hidden' name='{$token_name}' value='{$token_hash}'>
</form>
</div>
</div>