some more csrf fixes

This commit is contained in:
Frank Karlitschek 2012-04-26 23:17:46 +02:00
parent d96e962fc1
commit 74b5e22a68
3 changed files with 11 additions and 7 deletions

View File

@ -12,6 +12,7 @@
<p class="infield"> <p class="infield">
<label for="password" class="infield"><?php echo $l->t( 'Password' ); ?></label> <label for="password" class="infield"><?php echo $l->t( 'Password' ); ?></label>
<input type="password" name="password" id="password" value="" required <?php echo !empty($_POST['user'])?'autofocus':''; ?> /> <input type="password" name="password" id="password" value="" required <?php echo !empty($_POST['user'])?'autofocus':''; ?> />
<input type="hidden" name="sectoken" id="sectoken" value="<?php echo($_['sectoken']); ?>" />
</p> </p>
<input type="checkbox" name="remember_login" value="1" id="remember_login" /><label for="remember_login"><?php echo $l->t('remember'); ?></label> <input type="checkbox" name="remember_login" value="1" id="remember_login" /><label for="remember_login"><?php echo $l->t('remember'); ?></label>
<input type="submit" id="submit" class="login" value="<?php echo $l->t( 'Log in' ); ?>" /> <input type="submit" id="submit" class="login" value="<?php echo $l->t( 'Log in' ); ?>" />

View File

@ -59,10 +59,9 @@ elseif(OC_User::isLoggedIn()) {
else { else {
OC_Util::redirectToDefaultPage(); OC_Util::redirectToDefaultPage();
} }
}
// For all others cases, we display the guest page : // For all others cases, we display the guest page :
else { } else {
OC_App::loadApps(); OC_App::loadApps();
$error = false; $error = false;
@ -80,10 +79,9 @@ else {
else { else {
OC_User::unsetMagicInCookie(); OC_User::unsetMagicInCookie();
} }
}
// Someone wants to log in : // Someone wants to log in :
elseif(isset($_POST["user"]) && isset($_POST['password'])) { } elseif(isset($_POST["user"]) and isset($_POST['password']) and isset($_SESSION['sectoken']) and isset($_POST['sectoken']) and ($_SESSION['sectoken']==$_POST['sectoken']) ) {
if(OC_User::login($_POST["user"], $_POST["password"])) { if(OC_User::login($_POST["user"], $_POST["password"])) {
if(!empty($_POST["remember_login"])){ if(!empty($_POST["remember_login"])){
if(defined("DEBUG") && DEBUG) { if(defined("DEBUG") && DEBUG) {
@ -100,9 +98,9 @@ else {
} else { } else {
$error = true; $error = true;
} }
}
// The user is already authenticated using Apaches AuthType Basic... very usable in combination with LDAP // The user is already authenticated using Apaches AuthType Basic... very usable in combination with LDAP
elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){ } elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){
if (OC_User::login($_SERVER["PHP_AUTH_USER"],$_SERVER["PHP_AUTH_PW"])) { if (OC_User::login($_SERVER["PHP_AUTH_USER"],$_SERVER["PHP_AUTH_PW"])) {
//OC_Log::write('core',"Logged in with HTTP Authentication",OC_Log::DEBUG); //OC_Log::write('core',"Logged in with HTTP Authentication",OC_Log::DEBUG);
OC_User::unsetMagicInCookie(); OC_User::unsetMagicInCookie();
@ -111,5 +109,7 @@ else {
$error = true; $error = true;
} }
} }
OC_Template::printGuestPage('', 'login', array('error' => $error, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' )); $sectoken=rand(1000000,9999999);
$_SESSION['sectoken']=$sectoken;
OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' ));
} }

View File

@ -253,6 +253,9 @@ class OC_Util {
} else { } else {
$parameters["username"] = ''; $parameters["username"] = '';
} }
$sectoken=rand(1000000,9999999);
$_SESSION['sectoken']=$sectoken;
$parameters["sectoken"] = $sectoken;
OC_Template::printGuestPage("", "login", $parameters); OC_Template::printGuestPage("", "login", $parameters);
} }