diff options
author | Frank Karlitschek <karlitschek@kde.org> | 2012-04-26 23:17:46 +0200 |
---|---|---|
committer | Frank Karlitschek <karlitschek@kde.org> | 2012-04-26 23:17:46 +0200 |
commit | 74b5e22a684c3095dbd48b56da1a10d955c20305 (patch) | |
tree | f4b350ac022cfe4e8935b7910470dcfbbd7a0ec5 /index.php | |
parent | d96e962fc1f5df7efec5266d34735ebcdc20b056 (diff) | |
download | nextcloud-server-74b5e22a684c3095dbd48b56da1a10d955c20305.tar.gz nextcloud-server-74b5e22a684c3095dbd48b56da1a10d955c20305.zip |
some more csrf fixes
Diffstat (limited to 'index.php')
-rw-r--r-- | index.php | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/index.php b/index.php index b4cac1879c6..9fff459807e 100644 --- a/index.php +++ b/index.php @@ -59,10 +59,9 @@ elseif(OC_User::isLoggedIn()) { else { OC_Util::redirectToDefaultPage(); } -} // For all others cases, we display the guest page : -else { +} else { OC_App::loadApps(); $error = false; @@ -80,10 +79,9 @@ else { else { OC_User::unsetMagicInCookie(); } - } // Someone wants to log in : - elseif(isset($_POST["user"]) && isset($_POST['password'])) { + } elseif(isset($_POST["user"]) and isset($_POST['password']) and isset($_SESSION['sectoken']) and isset($_POST['sectoken']) and ($_SESSION['sectoken']==$_POST['sectoken']) ) { if(OC_User::login($_POST["user"], $_POST["password"])) { if(!empty($_POST["remember_login"])){ if(defined("DEBUG") && DEBUG) { @@ -100,9 +98,9 @@ else { } else { $error = true; } - } + // The user is already authenticated using Apaches AuthType Basic... very usable in combination with LDAP - elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){ + } elseif(isset($_SERVER["PHP_AUTH_USER"]) && isset($_SERVER["PHP_AUTH_PW"])){ if (OC_User::login($_SERVER["PHP_AUTH_USER"],$_SERVER["PHP_AUTH_PW"])) { //OC_Log::write('core',"Logged in with HTTP Authentication",OC_Log::DEBUG); OC_User::unsetMagicInCookie(); @@ -111,5 +109,7 @@ else { $error = true; } } - OC_Template::printGuestPage('', 'login', array('error' => $error, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' )); + $sectoken=rand(1000000,9999999); + $_SESSION['sectoken']=$sectoken; + OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => isset($_REQUEST['redirect_url'])?$_REQUEST['redirect_url']:'' )); } |