From 3eaa302128289449ad06d97dd61349c886a1658b Mon Sep 17 00:00:00 2001
From: Focuslinkstech <45756999+Focuslinkstech@users.noreply.github.com>
Date: Wed, 9 Oct 2024 17:58:35 +0100
Subject: [PATCH] add CSRF Token on customer login
---
system/controllers/admin.php | 2 +-
system/controllers/login.php | 17 +++++++++++++----
ui/ui/customer/login-noreg.tpl | 2 ++
ui/ui/customer/login.tpl | 1 +
4 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/system/controllers/admin.php b/system/controllers/admin.php
index 0599f0c7..03aa16c6 100644
--- a/system/controllers/admin.php
+++ b/system/controllers/admin.php
@@ -26,7 +26,7 @@ switch ($do) {
//csrf token
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
- _alert(Lang::T('Invalid CSRF Token') . ".", 'danger', "admin");
+ _alert(Lang::T('Invalid or Expired CSRF Token') . ".", 'danger', "admin");
}
run_hook('admin_login'); #HOOK
if ($username != '' and $password != '') {
diff --git a/system/controllers/login.php b/system/controllers/login.php
index 20746630..ad9f624d 100644
--- a/system/controllers/login.php
+++ b/system/controllers/login.php
@@ -5,10 +5,6 @@
* by https://t.me/ibnux
**/
-header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
-header("Expires: Tue, 01 Jan 2000 00:00:00 GMT");
-header("Pragma: no-cache");
-
$maintenance_mode = $config['maintenance_mode'];
if ($maintenance_mode == true) {
displayMaintenanceMessage();
@@ -28,6 +24,11 @@ switch ($do) {
case 'post':
$username = _post('username');
$password = _post('password');
+ $csrf_token = _post('csrf_token');
+ if (!Csrf::check($csrf_token)) {
+ _msglog('e', Lang::T('Invalid or Expired CSRF Token'));
+ r2(U . 'login');
+ }
run_hook('customer_login'); #HOOK
if ($username != '' and $password != '') {
$d = ORM::for_table('tbl_customers')->where('username', $username)->find_one();
@@ -61,6 +62,11 @@ switch ($do) {
case 'activation':
if (!empty(_post('voucher_only'))) {
+ $csrf_token = _post('csrf_token');
+ if (!Csrf::check($csrf_token)) {
+ _msglog('e', Lang::T('Invalid or Expired CSRF Token'));
+ r2(U . 'login');
+ }
$voucher = Text::alphanumeric(_post('voucher_only'), "-_.,");
$tur = ORM::for_table('tbl_user_recharges')
->where('username', $voucher)
@@ -293,11 +299,14 @@ switch ($do) {
}
default:
run_hook('customer_view_login'); #HOOK
+ $csrf_token = Csrf::generateAndStoreToken();
if ($config['disable_registration'] == 'yes') {
+ $ui->assign('csrf_token', $csrf_token);
$ui->assign('_title', Lang::T('Activation'));
$ui->assign('code', alphanumeric(_get('code'), "-"));
$ui->display('customer/login-noreg.tpl');
} else {
+ $ui->assign('csrf_token', $csrf_token);
$ui->assign('_title', Lang::T('Login'));
$ui->display('customer/login.tpl');
}
diff --git a/ui/ui/customer/login-noreg.tpl b/ui/ui/customer/login-noreg.tpl
index d4860a9a..ebf498b1 100644
--- a/ui/ui/customer/login-noreg.tpl
+++ b/ui/ui/customer/login-noreg.tpl
@@ -14,6 +14,7 @@
{Lang::T('Login / Activate Voucher')}