From cc0d528cff385d9b43b24c9e7343dae74055aec8 Mon Sep 17 00:00:00 2001
From: Alex <40072887+alexdcrane@users.noreply.github.com>
Date: Tue, 12 May 2026 20:19:40 +0000
Subject: [PATCH] Security: Add CSRF tokens to login form (#7968)
* Security: Add anti-CSRF tokens to login form
* Update database.php
* Update email.php
* Update totp.php
* Update email.htm
* Update login.htm
* Update totp_secret.htm
* Update totp.htm
* Update username.htm
---
.../resources/classes/plugins/database.php | 28 +++++++-------
.../resources/classes/plugins/email.php | 36 +++++++++++++-----
.../resources/classes/plugins/totp.php | 38 +++++++++++++------
core/authentication/resources/views/email.htm | 1 +
core/authentication/resources/views/login.htm | 1 +
core/authentication/resources/views/totp.htm | 1 +
.../resources/views/totp_secret.htm | 1 +
.../resources/views/username.htm | 1 +
8 files changed, 72 insertions(+), 35 deletions(-)
diff --git a/core/authentication/resources/classes/plugins/database.php b/core/authentication/resources/classes/plugins/database.php
index 1b161bc65..00f5dc124 100644
--- a/core/authentication/resources/classes/plugins/database.php
+++ b/core/authentication/resources/classes/plugins/database.php
@@ -55,6 +55,10 @@ class plugin_database {
*/
function database(authentication $auth, settings $settings) {
+ //add multi-lingual support
+ $language = new text;
+ $text = $language->get(null, '/core/authentication');
+
//pre-process some settings
$theme_favicon = $settings->get('theme', 'favicon', PROJECT_PATH . '/themes/default/favicon.ico');
$theme_logo = $settings->get('theme', 'logo', PROJECT_PATH . '/themes/default/images/logo_login.png');
@@ -97,12 +101,8 @@ class plugin_database {
$domain_name = $domain_array[0];
//create token
- //$object = new token;
- //$token = $object->create('login');
-
- //add multi-lingual support
- $language = new text;
- $text = $language->get(null, '/core/authentication');
+ $object = new token;
+ $token = $object->create('login');
//initialize a template object
$view = new template();
@@ -164,8 +164,8 @@ class plugin_database {
$view->assign('messages', message::html(true, ' '));
//add the token name and hash to the view
- //$view->assign("token_name", $token['name']);
- //$view->assign("token_hash", $token['hash']);
+ $view->assign("token_name", $token['name']);
+ $view->assign("token_hash", $token['hash']);
//show the views
$content = $view->render('login.htm');
@@ -174,12 +174,12 @@ class plugin_database {
}
//validate the token
- //$token = new token;
- //if (!$token->validate($_SERVER['PHP_SELF'])) {
- // message::add($text['message-invalid_token'],'negative');
- // header('Location: domains.php');
- // exit;
- //}
+ $token = new token;
+ if (!$token->validate('login')) {
+ message::add($text['message-invalid_token'],'negative');
+ header('Location: login.php');
+ exit;
+ }
//add the authentication details
if (isset($_REQUEST["username"])) {
diff --git a/core/authentication/resources/classes/plugins/email.php b/core/authentication/resources/classes/plugins/email.php
index faba15e48..6a020978b 100644
--- a/core/authentication/resources/classes/plugins/email.php
+++ b/core/authentication/resources/classes/plugins/email.php
@@ -65,6 +65,20 @@ class plugin_email {
*/
function email(authentication $auth, settings $settings) {
+ //add multi-lingual support
+ $language = new text;
+ $text = $language->get(null, '/core/authentication');
+
+ //validate the token
+ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+ $token = new token;
+ if (!$token->validate('login')) {
+ message::add($text['message-invalid_token'], 'negative');
+ header('Location: login.php');
+ exit;
+ }
+ }
+
//pre-process some settings
$theme_favicon = $settings->get('theme', 'favicon', PROJECT_PATH . '/themes/default/favicon.ico');
$theme_logo = $settings->get('theme', 'logo', PROJECT_PATH . '/themes/default/images/logo_login.png');
@@ -98,9 +112,9 @@ class plugin_email {
//request the username
if (!isset($_POST['username']) && !isset($_POST['authentication_code'])) {
- //add multi-lingual support
- $language = new text;
- $text = $language->get(null, '/core/authentication');
+ //create token
+ $object = new token;
+ $token = $object->create('login');
//initialize a template object
$view = new template();
@@ -127,6 +141,10 @@ class plugin_email {
//messages
$view->assign('messages', message::html(true, ' '));
+ //add the token name and hash to the view
+ $view->assign("token_name", $token['name']);
+ $view->assign("token_hash", $token['hash']);
+
//show the views
$content = $view->render('username.htm');
echo $content;
@@ -331,12 +349,8 @@ class plugin_email {
$domain_name = $domain_array[0];
//create token
- //$object = new token;
- //$token = $object->create('login');
-
- //add multi-lingual support
- $language = new text;
- $text = $language->get(null, '/core/authentication');
+ $object = new token;
+ $token = $object->create('login');
//initialize a template object
$view = new template();
@@ -365,6 +379,10 @@ class plugin_email {
//messages
$view->assign('messages', message::html(true, ' '));
+ //add the token name and hash to the view
+ $view->assign("token_name", $token['name']);
+ $view->assign("token_hash", $token['hash']);
+
//show the views
$content = $view->render('email.htm');
echo $content;
diff --git a/core/authentication/resources/classes/plugins/totp.php b/core/authentication/resources/classes/plugins/totp.php
index c6d84c299..67d8ea66a 100644
--- a/core/authentication/resources/classes/plugins/totp.php
+++ b/core/authentication/resources/classes/plugins/totp.php
@@ -70,6 +70,20 @@ class plugin_totp {
*/
function totp(authentication $auth, settings $settings) {
+ //add multi-lingual support
+ $language = new text;
+ $text = $language->get(null, '/core/authentication');
+
+ //validate the token
+ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+ $token = new token;
+ if (!$token->validate('login')) {
+ message::add($text['message-invalid_token'], 'negative');
+ header('Location: login.php');
+ exit;
+ }
+ }
+
//pre-process some settings
$theme_favicon = $settings->get('theme', 'favicon', PROJECT_PATH . '/themes/default/favicon.ico');
$theme_logo = $settings->get('theme', 'logo', PROJECT_PATH . '/themes/default/images/logo_login.png');
@@ -107,12 +121,8 @@ class plugin_totp {
$domain_name = $domain_array[0];
//create token
- //$object = new token;
- //$token = $object->create('login');
-
- //add multi-lingual support
- $language = new text;
- $text = $language->get(null, '/core/authentication');
+ $object = new token;
+ $token = $object->create('login');
//initialize a template object
$view = new template();
@@ -139,6 +149,10 @@ class plugin_totp {
//messages
$view->assign('messages', message::html(true, ' '));
+ //add the token name and hash to the view
+ $view->assign("token_name", $token['name']);
+ $view->assign("token_hash", $token['hash']);
+
//show the views
$content = $view->render('username.htm');
echo $content;
@@ -210,12 +224,8 @@ class plugin_totp {
$domain_name = $domain_array[0];
//create token
- //$object = new token;
- //$token = $object->create('login');
-
- //add multi-lingual support
- $language = new text;
- $text = $language->get(null, '/core/authentication');
+ $object = new token;
+ $token = $object->create('login');
//initialize a template object
$view = new template();
@@ -241,6 +251,10 @@ class plugin_totp {
$view->assign("button_cancel", $text['button-cancel']);
}
+ //add the token name and hash to the view
+ $view->assign("token_name", $token['name']);
+ $view->assign("token_hash", $token['hash']);
+
//show the views
if (!empty($_SESSION['authentication']['plugin']['database']['authorized']) && empty($this->user_totp_secret)) {
diff --git a/core/authentication/resources/views/email.htm b/core/authentication/resources/views/email.htm
index 2f35985e7..6f6698619 100644
--- a/core/authentication/resources/views/email.htm
+++ b/core/authentication/resources/views/email.htm
@@ -82,6 +82,7 @@
{$button_cancel}
{/if}
+
diff --git a/core/authentication/resources/views/login.htm b/core/authentication/resources/views/login.htm
index eb55b5d05..4ca16eb1a 100644
--- a/core/authentication/resources/views/login.htm
+++ b/core/authentication/resources/views/login.htm
@@ -118,6 +118,7 @@
{/foreach}
{/if}
+
diff --git a/core/authentication/resources/views/totp.htm b/core/authentication/resources/views/totp.htm
index 6a8f13d3e..5b5dd9583 100644
--- a/core/authentication/resources/views/totp.htm
+++ b/core/authentication/resources/views/totp.htm
@@ -80,6 +80,7 @@
{$button_cancel}
+
diff --git a/core/authentication/resources/views/totp_secret.htm b/core/authentication/resources/views/totp_secret.htm
index 88d3ec230..11891ec78 100644
--- a/core/authentication/resources/views/totp_secret.htm
+++ b/core/authentication/resources/views/totp_secret.htm
@@ -29,6 +29,7 @@
+
diff --git a/core/authentication/resources/views/username.htm b/core/authentication/resources/views/username.htm
index 4547cec60..28dbe7307 100644
--- a/core/authentication/resources/views/username.htm
+++ b/core/authentication/resources/views/username.htm
@@ -82,6 +82,7 @@
+