diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2012-09-29 15:18:38 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@statuscode.ch> | 2012-09-29 15:18:38 +0200 |
commit | 578aa4e42546a81e572ecda2061e238d34a4f421 (patch) | |
tree | 285622f632f536cd9d4c1f3744a838eab3094fd6 | |
parent | f5fe95a1315200c7e0c08544b2aad5ef69167d7c (diff) | |
download | nextcloud-server-578aa4e42546a81e572ecda2061e238d34a4f421.tar.gz nextcloud-server-578aa4e42546a81e572ecda2061e238d34a4f421.zip |
Removed sectoken
This token is completly useless since an attacker can easily extract it
from the page.
-rw-r--r-- | core/templates/login.php | 1 | ||||
-rw-r--r-- | lib/base.php | 6 | ||||
-rwxr-xr-x | lib/util.php | 3 |
3 files changed, 1 insertions, 9 deletions
diff --git a/core/templates/login.php b/core/templates/login.php index 2c9b766aa4d..bedff4453b0 100644 --- a/core/templates/login.php +++ b/core/templates/login.php @@ -12,7 +12,6 @@ <p class="infield"> <label for="password" class="infield"><?php echo $l->t( 'Password' ); ?></label> <input type="password" name="password" id="password" value="" required<?php echo $_['user_autofocus']?'':' autofocus'; ?> /> - <input type="hidden" name="sectoken" id="sectoken" value="<?php echo($_['sectoken']); ?>" /> </p> <input type="checkbox" name="remember_login" value="1" id="remember_login" /><label for="remember_login"><?php echo $l->t('remember'); ?></label> <input type="submit" id="submit" class="login" value="<?php echo $l->t( 'Log in' ); ?>" /> diff --git a/lib/base.php b/lib/base.php index 5a2decc6f63..b89859ab2dd 100644 --- a/lib/base.php +++ b/lib/base.php @@ -528,11 +528,7 @@ class OC{ } protected static function tryFormLogin() { - if(!isset($_POST["user"]) - || !isset($_POST['password']) - || !isset($_SESSION['sectoken']) - || !isset($_POST['sectoken']) - || ($_SESSION['sectoken']!=$_POST['sectoken']) ) { + if(!isset($_POST["user"]) || !isset($_POST['password'])) { return false; } diff --git a/lib/util.php b/lib/util.php index 15e6f2824e5..29ab2c34e96 100755 --- a/lib/util.php +++ b/lib/util.php @@ -314,9 +314,6 @@ class OC_Util { $parameters["username"] = ''; $parameters['user_autofocus'] = true; } - $sectoken=rand(1000000,9999999); - $_SESSION['sectoken']=$sectoken; - $parameters["sectoken"] = $sectoken; if (isset($_REQUEST['redirect_url'])) { $redirect_url = OC_Util::sanitizeHTML($_REQUEST['redirect_url']); } else { |