remove hidden fields from login/passwd-reset; refs #1102

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
2023-06-05 12:10:39 +02:00
parent 3940c1429d
commit 9ddf24539e
4 changed files with 20 additions and 22 deletions
--- a/index.php
+++ b/index.php
@@ -161,7 +161,7 @@ if ($action == '2fa_entercode') {
 	]);
 	exit();
 } elseif ($action == 'login') {
-	if (isset($_POST['send']) && $_POST['send'] == 'send') {
+	if (!empty($_POST)) {
 		$loginname = Validate::validate($_POST['loginname'], 'loginname');
 		$password = Validate::validate($_POST['password'], 'password');

@@ -431,13 +431,13 @@ if ($action == '2fa_entercode') {
 		}
 		$lastqrystr = "";
 		if (isset($_REQUEST['qrystr']) && $_REQUEST['qrystr'] != "") {
-			$lastqrystr = htmlspecialchars($_REQUEST['qrystr'], ENT_QUOTES);
+			$lastqrystr = urlencode($_REQUEST['qrystr']);
 		}
+		$_SESSION['lastscript'] = $lastscript;
+		$_SESSION['lastqrystr'] = $lastqrystr;

 		UI::view('login/login.html.twig', [
 			'pagetitle' => 'Login',
-			'lastscript' => $lastscript,
-			'lastqrystr' => $lastqrystr,
 			'upd_in_progress' => $update_in_progress,
 			'message' => $message,
 			'successmsg' => $successmessage
@@ -449,7 +449,7 @@ if ($action == 'forgotpwd') {
 	$adminchecked = false;
 	$message = '';

-	if (isset($_POST['send']) && $_POST['send'] == 'send') {
+	if (!empty($_POST)) {
 		$loginname = Validate::validate($_POST['loginname'], 'loginname');
 		$email = Validate::validateEmail($_POST['loginemail']);
 		$result_stmt = Database::prepare("SELECT `adminid`, `customerid`, `customernumber`, `firstname`, `name`, `company`, `email`, `loginname`, `def_language`, `deactivated` FROM `" . TABLE_PANEL_CUSTOMERS . "`
@@ -633,7 +633,7 @@ if ($action == 'forgotpwd') {

 	UI::view('login/fpwd.html.twig', [
 		'pagetitle' => lng('login.presend'),
-		'action' => $action,
+		'formaction' => 'index.php?action='.$action,
 		'message' => $message,
 	]);
 }
@@ -656,7 +656,7 @@ if ($action == 'resetpwd') {
 		$check = substr($activationcode, 40, 10);

 		if (substr(md5($third . $timestamp), 0, 10) == $check && $timestamp >= time() - 86400) {
-			if (isset($_POST['send']) && $_POST['send'] == 'send') {
+			if (!empty($_POST)) {
 				$stmt = Database::prepare("SELECT `userid`, `admin` FROM `" . TABLE_PANEL_ACTIVATION . "`
 					WHERE `activationcode` = :activationcode");
 				$result = Database::pexecute_first($stmt, [
@@ -746,29 +746,34 @@ function finishLogin($userinfo)
 		}

 		$qryparams = [];
-		if (isset($_POST['qrystr']) && $_POST['qrystr'] != "") {
-			parse_str(urldecode($_POST['qrystr']), $qryparams);
+		if (isset($_SESSION['lastqrystr']) && !empty($_SESSION['lastqrystr'])) {
+			parse_str(urldecode($_SESSION['lastqrystr']), $qryparams);
+			unset($_SESSION['lastqrystr']);
 		}

 		if ($userinfo['adminsession'] == '1') {
 			if (Froxlor::hasUpdates() || Froxlor::hasDbUpdates()) {
 				Response::redirectTo('admin_updates.php?page=overview');
 			} else {
-				if (isset($_POST['script']) && $_POST['script'] != "") {
-					if (preg_match("/customer\_/", $_POST['script']) === 1) {
+				if (isset($_SESSION['lastscript']) && !empty($_SESSION['lastscript'])) {
+					$lastscript = $_SESSION['lastscript'];
+					unset($_SESSION['lastscript']);
+					if (preg_match("/customer\_/", $lastscript) === 1) {
 						Response::redirectTo('admin_customers.php', [
 							"page" => "customers"
 						]);
 					} else {
-						Response::redirectTo($_POST['script'], $qryparams);
+						Response::redirectTo($lastscript, $qryparams);
 					}
 				} else {
 					Response::redirectTo('admin_index.php', $qryparams);
 				}
 			}
 		} else {
-			if (isset($_POST['script']) && $_POST['script'] != "") {
-				Response::redirectTo($_POST['script'], $qryparams);
+			if (isset($_SESSION['lastscript']) && !empty($_SESSION['lastscript'])) {
+				$lastscript = $_SESSION['lastscript'];
+				unset($_SESSION['lastscript']);
+				Response::redirectTo($lastscript, $qryparams);
 			} else {
 				Response::redirectTo('customer_index.php', $qryparams);
 			}
--- a/templates/Froxlor/login/fpwd.html.twig
+++ b/templates/Froxlor/login/fpwd.html.twig
@@ -3,7 +3,7 @@
 {% block content %}
 	<div class="container">
 		<div class="row justify-content-center">
-			<form class="col-12 max-w-420 d-flex flex-column" method="post" enctype="application/x-www-form-urlencoded">
+			<form action="{{ formaction }}" class="col-12 max-w-420 d-flex flex-column" method="post" enctype="application/x-www-form-urlencoded">
 				<img class="align-self-center my-5" src="{{ header_logo_login }}" alt="Froxlor Server Management Panel"/>

 				<div class="card shadow">
@@ -38,8 +38,6 @@
 					</div>

 					<div class="card-body d-grid gap-2">
-						<input type="hidden" name="action" value="{{ action }}"/>
-						<input type="hidden" name="send" value="send"/>
 						<button class="btn btn-primary rounded-top-0" type="submit" name="doremind">{{ lng('login.remind') }}</button>
 					</div>

--- a/templates/Froxlor/login/login.html.twig
+++ b/templates/Froxlor/login/login.html.twig
@@ -39,9 +39,6 @@
 					</div>

 					<div class="card-body d-grid gap-2">
-						<input type="hidden" name="script" value="{{ lastscript }}"/>
-						<input type="hidden" name="qrystr" value="{{ lastqrystr|raw }}"/>
-						<input type="hidden" name="send" value="send"/>
 						<button class="btn btn-primary rounded-top-0" type="submit" name="dologin">{{ lng('login.login') }}</button>
 					</div>

--- a/templates/Froxlor/login/rpwd.html.twig
+++ b/templates/Froxlor/login/rpwd.html.twig
@@ -30,8 +30,6 @@
 					</div>

 					<div class="card-body d-grid gap-2">
-						<input type="hidden" name="action" value="resetpwd"/>
-						<input type="hidden" name="send" value="send"/>
 						<button class="btn btn-primary rounded-top-0" type="submit" name="doremind">{{ lng('login.remind') }}</button>
 					</div>