maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

correctly redirect to last-page if session is timed out and remove passing script/qrystr url parameters

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2023-08-11 12:09:23 +02:00
parent 52a06bf806
commit fcfd44f726
6 changed files with 25 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
admin_admins.php
View File

@@ -77,6 +77,7 @@ if (($page == 'admins' || $page == 'overview') && $userinfo['change_serversettin
$result['switched_user'] = CurrentUser::getData(); $result['switched_user'] = CurrentUser::getData();
$result['adminsession'] = 1; $result['adminsession'] = 1;
$result['userid'] = $result['adminid']; $result['userid'] = $result['adminid'];
session_regenerate_id(true);
CurrentUser::setData($result); CurrentUser::setData($result);
$log->logAction( $log->logAction(

2
admin_customers.php
View File

@@ -94,7 +94,7 @@ if (($page == 'customers' || $page == 'overview') && $userinfo['customers'] != '
$result['switched_user'] = CurrentUser::getData(); $result['switched_user'] = CurrentUser::getData();
$result['adminsession'] = 0; $result['adminsession'] = 0;
$result['userid'] = $result['customerid']; $result['userid'] = $result['customerid'];
session_regenerate_id(); session_regenerate_id(true);
CurrentUser::setData($result); CurrentUser::setData($result);
$log->logAction(FroxlorLogger::ADM_ACTION, LOG_INFO, "switched user and is now '" . $destination_user . "'"); $log->logAction(FroxlorLogger::ADM_ACTION, LOG_INFO, "switched user and is now '" . $destination_user . "'");

2
admin_index.php
View File

@@ -53,7 +53,7 @@ if ($action == 'logout') {
if (is_array(CurrentUser::getField('switched_user'))) { if (is_array(CurrentUser::getField('switched_user'))) {
$result = CurrentUser::getData(); $result = CurrentUser::getData();
$result = $result['switched_user']; $result = $result['switched_user'];
session_regenerate_id(); session_regenerate_id(true);
CurrentUser::setData($result); CurrentUser::setData($result);
$target = (isset($_GET['target']) ? $_GET['target'] : 'index'); $target = (isset($_GET['target']) ? $_GET['target'] : 'index');
$redirect = "admin_" . $target . ".php"; $redirect = "admin_" . $target . ".php";

19
index.php
View File

@@ -434,8 +434,13 @@ if ($action == '2fa_entercode') {
if (isset($_REQUEST['qrystr']) && $_REQUEST['qrystr'] != "") { if (isset($_REQUEST['qrystr']) && $_REQUEST['qrystr'] != "") {
$lastqrystr = urlencode($_REQUEST['qrystr']); $lastqrystr = urlencode($_REQUEST['qrystr']);
} }
$_SESSION['lastscript'] = $lastscript;
$_SESSION['lastqrystr'] = $lastqrystr; if (!empty($lastscript)) {
$_SESSION['lastscript'] = $lastscript;
}
if (!empty($lastqrystr)) {
$_SESSION['lastqrystr'] = $lastqrystr;
}
UI::view('login/login.html.twig', [ UI::view('login/login.html.twig', [
'pagetitle' => 'Login', 'pagetitle' => 'Login',
@@ -634,7 +639,7 @@ if ($action == 'forgotpwd') {
UI::view('login/fpwd.html.twig', [ UI::view('login/fpwd.html.twig', [
'pagetitle' => lng('login.presend'), 'pagetitle' => lng('login.presend'),
'formaction' => 'index.php?action='.$action, 'formaction' => 'index.php?action=' . $action,
'message' => $message, 'message' => $message,
]); ]);
} }
@@ -786,7 +791,7 @@ if ($action == 'll') {
function finishLogin($userinfo) function finishLogin($userinfo)
{ {
if (isset($userinfo['userid']) && $userinfo['userid'] != '') { if (isset($userinfo['userid']) && $userinfo['userid'] != '') {
session_regenerate_id(); session_regenerate_id(true);
CurrentUser::setData($userinfo); CurrentUser::setData($userinfo);
$language = $userinfo['def_language'] ?? Settings::Get('panel.standardlanguage'); $language = $userinfo['def_language'] ?? Settings::Get('panel.standardlanguage');
@@ -800,7 +805,7 @@ function finishLogin($userinfo)
} }
$qryparams = []; $qryparams = [];
if (isset($_SESSION['lastqrystr']) && !empty($_SESSION['lastqrystr'])) { if (!empty($_SESSION['lastqrystr'])) {
parse_str(urldecode($_SESSION['lastqrystr']), $qryparams); parse_str(urldecode($_SESSION['lastqrystr']), $qryparams);
unset($_SESSION['lastqrystr']); unset($_SESSION['lastqrystr']);
} }
@@ -809,7 +814,7 @@ function finishLogin($userinfo)
if (Froxlor::hasUpdates() || Froxlor::hasDbUpdates()) { if (Froxlor::hasUpdates() || Froxlor::hasDbUpdates()) {
Response::redirectTo('admin_updates.php?page=overview'); Response::redirectTo('admin_updates.php?page=overview');
} else { } else {
if (isset($_SESSION['lastscript']) && !empty($_SESSION['lastscript'])) { if (!empty($_SESSION['lastscript'])) {
$lastscript = $_SESSION['lastscript']; $lastscript = $_SESSION['lastscript'];
unset($_SESSION['lastscript']); unset($_SESSION['lastscript']);
if (preg_match("/customer\_/", $lastscript) === 1) { if (preg_match("/customer\_/", $lastscript) === 1) {
@@ -824,7 +829,7 @@ function finishLogin($userinfo)
} }
} }
} else { } else {
if (isset($_SESSION['lastscript']) && !empty($_SESSION['lastscript'])) { if (!empty($_SESSION['lastscript'])) {
$lastscript = $_SESSION['lastscript']; $lastscript = $_SESSION['lastscript'];
unset($_SESSION['lastscript']); unset($_SESSION['lastscript']);
Response::redirectTo($lastscript, $qryparams); Response::redirectTo($lastscript, $qryparams);

3
lib/Froxlor/UI/Panel/UI.php
View File

@@ -290,7 +290,8 @@ class UI
]; ];
} }
public static function validateThemeTemplate(string $name, string $theme = "") { public static function validateThemeTemplate(string $name, string $theme = "")
{
if (empty(trim($theme))) { if (empty(trim($theme))) {
$theme = self::getTheme(); $theme = self::getTheme();
} }

15
lib/init.php
View File

@@ -181,8 +181,10 @@ if (@file_exists('templates/' . $theme . '/config.json')) {
} }
// check for existence of variant in theme // check for existence of variant in theme
if (is_array($_themeoptions) && (!array_key_exists('variants', $_themeoptions) || !array_key_exists($themevariant, if (is_array($_themeoptions) && (!array_key_exists('variants', $_themeoptions) || !array_key_exists(
$_themeoptions['variants']))) { $themevariant,
$_themeoptions['variants']
))) {
$themevariant = "default"; $themevariant = "default";
} }
@@ -216,12 +218,11 @@ UI::twig()->addGlobal('header_logo', $header_logo);
if (!CurrentUser::hasSession() && AREA != 'login') { if (!CurrentUser::hasSession() && AREA != 'login') {
unset($_SESSION['userinfo']); unset($_SESSION['userinfo']);
CurrentUser::setData(); CurrentUser::setData();
session_destroy(); $_SESSION = [
$params = [ "lastscript" => basename($_SERVER["SCRIPT_NAME"]),
"script" => basename($_SERVER["SCRIPT_NAME"]), "lastqrystr" => $_SERVER["QUERY_STRING"]
"qrystr" => $_SERVER["QUERY_STRING"]
]; ];
Response::redirectTo('index.php', $params); Response::redirectTo('index.php');
exit(); exit();
} }