kevinowino869/mitrobill
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add CSRF Token on customer login

Browse Source
This commit is contained in:
Focuslinkstech 2024-10-09 17:58:35 +01:00 committed by Ibnu Maksum
parent 9bc3ccc02b
commit 3eaa302128
No known key found for this signature in database
GPG Key ID: 7FC82848810579E5
4 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
system/controllers/admin.php
View File

@ -26,7 +26,7 @@ switch ($do) {
//csrf token //csrf token
$csrf_token = _post('csrf_token'); $csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) { if (!Csrf::check($csrf_token)) {
_alert(Lang::T('Invalid CSRF Token') . ".", 'danger', "admin"); _alert(Lang::T('Invalid or Expired CSRF Token') . ".", 'danger', "admin");
} }
run_hook('admin_login'); #HOOK run_hook('admin_login'); #HOOK
if ($username != '' and $password != '') { if ($username != '' and $password != '') {

17
system/controllers/login.php
View File

@ -5,10 +5,6 @@
* by https://t.me/ibnux * by https://t.me/ibnux
**/ **/
header("Cache-Control: no-store, no-cache, must-revalidate, max-age=0");
header("Expires: Tue, 01 Jan 2000 00:00:00 GMT");
header("Pragma: no-cache");
$maintenance_mode = $config['maintenance_mode']; $maintenance_mode = $config['maintenance_mode'];
if ($maintenance_mode == true) { if ($maintenance_mode == true) {
displayMaintenanceMessage(); displayMaintenanceMessage();
@ -28,6 +24,11 @@ switch ($do) {
case 'post': case 'post':
$username = _post('username'); $username = _post('username');
$password = _post('password'); $password = _post('password');
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
_msglog('e', Lang::T('Invalid or Expired CSRF Token'));
r2(U . 'login');
}
run_hook('customer_login'); #HOOK run_hook('customer_login'); #HOOK
if ($username != '' and $password != '') { if ($username != '' and $password != '') {
$d = ORM::for_table('tbl_customers')->where('username', $username)->find_one(); $d = ORM::for_table('tbl_customers')->where('username', $username)->find_one();
@ -61,6 +62,11 @@ switch ($do) {
case 'activation': case 'activation':
if (!empty(_post('voucher_only'))) { if (!empty(_post('voucher_only'))) {
$csrf_token = _post('csrf_token');
if (!Csrf::check($csrf_token)) {
_msglog('e', Lang::T('Invalid or Expired CSRF Token'));
r2(U . 'login');
}
$voucher = Text::alphanumeric(_post('voucher_only'), "-_.,"); $voucher = Text::alphanumeric(_post('voucher_only'), "-_.,");
$tur = ORM::for_table('tbl_user_recharges') $tur = ORM::for_table('tbl_user_recharges')
->where('username', $voucher) ->where('username', $voucher)
@ -293,11 +299,14 @@ switch ($do) {
} }
default: default:
run_hook('customer_view_login'); #HOOK run_hook('customer_view_login'); #HOOK
$csrf_token = Csrf::generateAndStoreToken();
if ($config['disable_registration'] == 'yes') { if ($config['disable_registration'] == 'yes') {
$ui->assign('csrf_token', $csrf_token);
$ui->assign('_title', Lang::T('Activation')); $ui->assign('_title', Lang::T('Activation'));
$ui->assign('code', alphanumeric(_get('code'), "-")); $ui->assign('code', alphanumeric(_get('code'), "-"));
$ui->display('customer/login-noreg.tpl'); $ui->display('customer/login-noreg.tpl');
} else { } else {
$ui->assign('csrf_token', $csrf_token);
$ui->assign('_title', Lang::T('Login')); $ui->assign('_title', Lang::T('Login'));
$ui->display('customer/login.tpl'); $ui->display('customer/login.tpl');
} }

2
ui/ui/customer/login-noreg.tpl
View File

@ -14,6 +14,7 @@
<div class="panel-heading">{Lang::T('Login / Activate Voucher')}</div> <div class="panel-heading">{Lang::T('Login / Activate Voucher')}</div>
<div class="panel-body"> <div class="panel-body">
<form action="{$_url}login/activation" method="post"> <form action="{$_url}login/activation" method="post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group"> <div class="form-group">
<label>{if $_c['country_code_phone']!= ''}{Lang::T('Phone Number')}{else}{Lang::T('Username')}{/if}</label> <label>{if $_c['country_code_phone']!= ''}{Lang::T('Phone Number')}{else}{Lang::T('Username')}{/if}</label>
<div class="input-group"> <div class="input-group">
@ -52,6 +53,7 @@
<div class="panel-heading">{Lang::T('Activate Voucher')}</div> <div class="panel-heading">{Lang::T('Activate Voucher')}</div>
<div class="panel-body"> <div class="panel-body">
<form action="{$_url}login/activation" method="post"> <form action="{$_url}login/activation" method="post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group"> <div class="form-group">
<label>{Lang::T('Enter voucher code here')}</label> <label>{Lang::T('Enter voucher code here')}</label>
<div class="input-group"> <div class="input-group">

1
ui/ui/customer/login.tpl
View File

@ -18,6 +18,7 @@
<div class="panel-heading">{Lang::T('Log in to Member Panel')}</div> <div class="panel-heading">{Lang::T('Log in to Member Panel')}</div>
<div class="panel-body"> <div class="panel-body">
<form action="{$_url}login/post" method="post"> <form action="{$_url}login/post" method="post">
<input type="hidden" name="csrf_token" value="{$csrf_token}">
<div class="form-group"> <div class="form-group">
<label>{if $_c['country_code_phone']!= ''}{Lang::T('Phone Number')}{else}{Lang::T('Username')}{/if}</label> <label>{if $_c['country_code_phone']!= ''}{Lang::T('Phone Number')}{else}{Lang::T('Username')}{/if}</label>
<div class="input-group"> <div class="input-group">