summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLukas Reschke <lukas@statuscode.ch>2012-09-29 15:18:38 +0200
committerLukas Reschke <lukas@statuscode.ch>2012-09-29 15:18:38 +0200
commit578aa4e42546a81e572ecda2061e238d34a4f421 (patch)
tree285622f632f536cd9d4c1f3744a838eab3094fd6
parentf5fe95a1315200c7e0c08544b2aad5ef69167d7c (diff)
downloadnextcloud-server-578aa4e42546a81e572ecda2061e238d34a4f421.tar.gz
nextcloud-server-578aa4e42546a81e572ecda2061e238d34a4f421.zip
Removed sectoken
This token is completly useless since an attacker can easily extract it from the page.
-rw-r--r--core/templates/login.php1
-rw-r--r--lib/base.php6
-rwxr-xr-xlib/util.php3
3 files changed, 1 insertions, 9 deletions
diff --git a/core/templates/login.php b/core/templates/login.php
index 2c9b766aa4d..bedff4453b0 100644
--- a/core/templates/login.php
+++ b/core/templates/login.php
@@ -12,7 +12,6 @@
<p class="infield">
<label for="password" class="infield"><?php echo $l->t( 'Password' ); ?></label>
<input type="password" name="password" id="password" value="" required<?php echo $_['user_autofocus']?'':' autofocus'; ?> />
- <input type="hidden" name="sectoken" id="sectoken" value="<?php echo($_['sectoken']); ?>" />
</p>
<input type="checkbox" name="remember_login" value="1" id="remember_login" /><label for="remember_login"><?php echo $l->t('remember'); ?></label>
<input type="submit" id="submit" class="login" value="<?php echo $l->t( 'Log in' ); ?>" />
diff --git a/lib/base.php b/lib/base.php
index 5a2decc6f63..b89859ab2dd 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -528,11 +528,7 @@ class OC{
}
protected static function tryFormLogin() {
- if(!isset($_POST["user"])
- || !isset($_POST['password'])
- || !isset($_SESSION['sectoken'])
- || !isset($_POST['sectoken'])
- || ($_SESSION['sectoken']!=$_POST['sectoken']) ) {
+ if(!isset($_POST["user"]) || !isset($_POST['password'])) {
return false;
}
diff --git a/lib/util.php b/lib/util.php
index 15e6f2824e5..29ab2c34e96 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -314,9 +314,6 @@ class OC_Util {
$parameters["username"] = '';
$parameters['user_autofocus'] = true;
}
- $sectoken=rand(1000000,9999999);
- $_SESSION['sectoken']=$sectoken;
- $parameters["sectoken"] = $sectoken;
if (isset($_REQUEST['redirect_url'])) {
$redirect_url = OC_Util::sanitizeHTML($_REQUEST['redirect_url']);
} else {