diff --git a/core/templates/login.php b/core/templates/login.php index 4ba92221a7..4035dfe8a5 100644 --- a/core/templates/login.php +++ b/core/templates/login.php @@ -12,6 +12,7 @@
/> +
diff --git a/index.php b/index.php index 787485555f..fe8f7f1503 100644 --- a/index.php +++ b/index.php @@ -63,10 +63,9 @@ elseif(OC_User::isLoggedIn()) { } } -} // For all others cases, we display the guest page : -else { +} else { OC_App::loadApps(); $error = false; @@ -84,10 +83,9 @@ else { else { OC_User::unsetMagicInCookie(); } - } // Someone wants to log in : - elseif(isset($_POST["user"]) && isset($_POST['password'])) { + } elseif(isset($_POST["user"]) and isset($_POST['password']) and isset($_SESSION['sectoken']) and isset($_POST['sectoken']) and ($_SESSION['sectoken']==$_POST['sectoken']) ) { if(OC_User::login($_POST["user"], $_POST["password"])) { if(!empty($_POST["remember_login"])){ if(defined("DEBUG") && DEBUG) { @@ -104,9 +102,9 @@ else { } else { $error = true; } - } + // The user is already authenticated using Apaches AuthType Basic... very usable in combination with LDAP - elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){ + } elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){ if (OC_User::login($_SERVER["PHP_AUTH_USER"],$_SERVER["PHP_AUTH_PW"])) { //OC_Log::write('core',"Logged in with HTTP Authentication",OC_Log::DEBUG); OC_User::unsetMagicInCookie(); @@ -115,5 +113,7 @@ else { $error = true; } } - OC_Template::printGuestPage('', 'login', array('error' => $error, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' )); + $sectoken=rand(1000000,9999999); + $_SESSION['sectoken']=$sectoken; + OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' )); } diff --git a/lib/base.php b/lib/base.php index 5118f64713..1e28ea1ccf 100644 --- a/lib/base.php +++ b/lib/base.php @@ -363,6 +363,16 @@ class OC{ self::checkInstalled(); self::checkSSL(); + // CSRF protection + if(isset($_SERVER['HTTP_REFERER'])) $referer=$_SERVER['HTTP_REFERER']; else $referer=''; + if(isset($_SERVER['HTTPS']) and $_SERVER['HTTPS']<>'') $protocol='https://'; else $protocol='http://'; + $server=$protocol.$_SERVER['SERVER_NAME']; + if(($_SERVER['REQUEST_METHOD']=='POST') and (substr($referer,0,strlen($server))<>$server)) { + $url = $protocol.$_SERVER['SERVER_NAME'].OC::$WEBROOT.'/index.php'; + header("Location: $url"); + exit(); + } + self::initSession(); self::initTemplateEngine(); self::checkUpgrade(); diff --git a/lib/util.php b/lib/util.php index 0b8ea1ec90..b30b9dfd48 100644 --- a/lib/util.php +++ b/lib/util.php @@ -253,6 +253,9 @@ class OC_Util { } else { $parameters["username"] = ''; } + $sectoken=rand(1000000,9999999); + $_SESSION['sectoken']=$sectoken; + $parameters["sectoken"] = $sectoken; OC_Template::printGuestPage("", "login", $parameters); }