maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

remove hidden fields from login/passwd-reset; refs #1102

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2023-06-05 12:10:39 +02:00
parent 3940c1429d
commit 9ddf24539e
4 changed files with 20 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
index.php
View File

@@ -161,7 +161,7 @@ if ($action == '2fa_entercode') {
]); ]);
exit(); exit();
} elseif ($action == 'login') { } elseif ($action == 'login') {
if (isset($_POST['send']) && $_POST['send'] == 'send') { if (!empty($_POST)) {
$loginname = Validate::validate($_POST['loginname'], 'loginname'); $loginname = Validate::validate($_POST['loginname'], 'loginname');
$password = Validate::validate($_POST['password'], 'password'); $password = Validate::validate($_POST['password'], 'password');
@@ -431,13 +431,13 @@ if ($action == '2fa_entercode') {
} }
$lastqrystr = ""; $lastqrystr = "";
if (isset($_REQUEST['qrystr']) && $_REQUEST['qrystr'] != "") { if (isset($_REQUEST['qrystr']) && $_REQUEST['qrystr'] != "") {
$lastqrystr = htmlspecialchars($_REQUEST['qrystr'], ENT_QUOTES); $lastqrystr = urlencode($_REQUEST['qrystr']);
} }
$_SESSION['lastscript'] = $lastscript;
$_SESSION['lastqrystr'] = $lastqrystr;
UI::view('login/login.html.twig', [ UI::view('login/login.html.twig', [
'pagetitle' => 'Login', 'pagetitle' => 'Login',
'lastscript' => $lastscript,
'lastqrystr' => $lastqrystr,
'upd_in_progress' => $update_in_progress, 'upd_in_progress' => $update_in_progress,
'message' => $message, 'message' => $message,
'successmsg' => $successmessage 'successmsg' => $successmessage
@@ -449,7 +449,7 @@ if ($action == 'forgotpwd') {
$adminchecked = false; $adminchecked = false;
$message = ''; $message = '';
if (isset($_POST['send']) && $_POST['send'] == 'send') { if (!empty($_POST)) {
$loginname = Validate::validate($_POST['loginname'], 'loginname'); $loginname = Validate::validate($_POST['loginname'], 'loginname');
$email = Validate::validateEmail($_POST['loginemail']); $email = Validate::validateEmail($_POST['loginemail']);
$result_stmt = Database::prepare("SELECT `adminid`, `customerid`, `customernumber`, `firstname`, `name`, `company`, `email`, `loginname`, `def_language`, `deactivated` FROM `" . TABLE_PANEL_CUSTOMERS . "` $result_stmt = Database::prepare("SELECT `adminid`, `customerid`, `customernumber`, `firstname`, `name`, `company`, `email`, `loginname`, `def_language`, `deactivated` FROM `" . TABLE_PANEL_CUSTOMERS . "`
@@ -633,7 +633,7 @@ if ($action == 'forgotpwd') {
UI::view('login/fpwd.html.twig', [ UI::view('login/fpwd.html.twig', [
'pagetitle' => lng('login.presend'), 'pagetitle' => lng('login.presend'),
'action' => $action, 'formaction' => 'index.php?action='.$action,
'message' => $message, 'message' => $message,
]); ]);
} }
@@ -656,7 +656,7 @@ if ($action == 'resetpwd') {
$check = substr($activationcode, 40, 10); $check = substr($activationcode, 40, 10);
if (substr(md5($third . $timestamp), 0, 10) == $check && $timestamp >= time() - 86400) { if (substr(md5($third . $timestamp), 0, 10) == $check && $timestamp >= time() - 86400) {
if (isset($_POST['send']) && $_POST['send'] == 'send') { if (!empty($_POST)) {
$stmt = Database::prepare("SELECT `userid`, `admin` FROM `" . TABLE_PANEL_ACTIVATION . "` $stmt = Database::prepare("SELECT `userid`, `admin` FROM `" . TABLE_PANEL_ACTIVATION . "`
WHERE `activationcode` = :activationcode"); WHERE `activationcode` = :activationcode");
$result = Database::pexecute_first($stmt, [ $result = Database::pexecute_first($stmt, [
@@ -746,29 +746,34 @@ function finishLogin($userinfo)
} }
$qryparams = []; $qryparams = [];
if (isset($_POST['qrystr']) && $_POST['qrystr'] != "") { if (isset($_SESSION['lastqrystr']) && !empty($_SESSION['lastqrystr'])) {
parse_str(urldecode($_POST['qrystr']), $qryparams); parse_str(urldecode($_SESSION['lastqrystr']), $qryparams);
unset($_SESSION['lastqrystr']);
} }
if ($userinfo['adminsession'] == '1') { if ($userinfo['adminsession'] == '1') {
if (Froxlor::hasUpdates() || Froxlor::hasDbUpdates()) { if (Froxlor::hasUpdates() || Froxlor::hasDbUpdates()) {
Response::redirectTo('admin_updates.php?page=overview'); Response::redirectTo('admin_updates.php?page=overview');
} else { } else {
if (isset($_POST['script']) && $_POST['script'] != "") { if (isset($_SESSION['lastscript']) && !empty($_SESSION['lastscript'])) {
if (preg_match("/customer\_/", $_POST['script']) === 1) { $lastscript = $_SESSION['lastscript'];
unset($_SESSION['lastscript']);
if (preg_match("/customer\_/", $lastscript) === 1) {
Response::redirectTo('admin_customers.php', [ Response::redirectTo('admin_customers.php', [
"page" => "customers" "page" => "customers"
]); ]);
} else { } else {
Response::redirectTo($_POST['script'], $qryparams); Response::redirectTo($lastscript, $qryparams);
} }
} else { } else {
Response::redirectTo('admin_index.php', $qryparams); Response::redirectTo('admin_index.php', $qryparams);
} }
} }
} else { } else {
if (isset($_POST['script']) && $_POST['script'] != "") { if (isset($_SESSION['lastscript']) && !empty($_SESSION['lastscript'])) {
Response::redirectTo($_POST['script'], $qryparams); $lastscript = $_SESSION['lastscript'];
unset($_SESSION['lastscript']);
Response::redirectTo($lastscript, $qryparams);
} else { } else {
Response::redirectTo('customer_index.php', $qryparams); Response::redirectTo('customer_index.php', $qryparams);
} }

4
templates/Froxlor/login/fpwd.html.twig
View File

@@ -3,7 +3,7 @@
{% block content %} {% block content %}
<div class="container"> <div class="container">
<div class="row justify-content-center"> <div class="row justify-content-center">
<form class="col-12 max-w-420 d-flex flex-column" method="post" enctype="application/x-www-form-urlencoded"> <form action="{{ formaction }}" class="col-12 max-w-420 d-flex flex-column" method="post" enctype="application/x-www-form-urlencoded">
<img class="align-self-center my-5" src="{{ header_logo_login }}" alt="Froxlor Server Management Panel"/> <img class="align-self-center my-5" src="{{ header_logo_login }}" alt="Froxlor Server Management Panel"/>
<div class="card shadow"> <div class="card shadow">
@@ -38,8 +38,6 @@
</div> </div>
<div class="card-body d-grid gap-2"> <div class="card-body d-grid gap-2">
<input type="hidden" name="action" value="{{ action }}"/>
<input type="hidden" name="send" value="send"/>
<button class="btn btn-primary rounded-top-0" type="submit" name="doremind">{{ lng('login.remind') }}</button> <button class="btn btn-primary rounded-top-0" type="submit" name="doremind">{{ lng('login.remind') }}</button>
</div> </div>

3
templates/Froxlor/login/login.html.twig
View File

@@ -39,9 +39,6 @@
</div> </div>
<div class="card-body d-grid gap-2"> <div class="card-body d-grid gap-2">
<input type="hidden" name="script" value="{{ lastscript }}"/>
<input type="hidden" name="qrystr" value="{{ lastqrystr|raw }}"/>
<input type="hidden" name="send" value="send"/>
<button class="btn btn-primary rounded-top-0" type="submit" name="dologin">{{ lng('login.login') }}</button> <button class="btn btn-primary rounded-top-0" type="submit" name="dologin">{{ lng('login.login') }}</button>
</div> </div>

2
templates/Froxlor/login/rpwd.html.twig
View File

@@ -30,8 +30,6 @@
</div> </div>
<div class="card-body d-grid gap-2"> <div class="card-body d-grid gap-2">
<input type="hidden" name="action" value="resetpwd"/>
<input type="hidden" name="send" value="send"/>
<button class="btn btn-primary rounded-top-0" type="submit" name="doremind">{{ lng('login.remind') }}</button> <button class="btn btn-primary rounded-top-0" type="submit" name="doremind">{{ lng('login.remind') }}</button>
</div> </div>