diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/base.php | 10 | ||||
| -rw-r--r-- | lib/util.php | 3 |
2 files changed, 13 insertions, 0 deletions
diff --git a/lib/base.php b/lib/base.php index 5118f647134..1e28ea1ccfd 100644 --- a/lib/base.php +++ b/lib/base.php @@ -363,6 +363,16 @@ class OC{ self::checkInstalled(); self::checkSSL(); + // CSRF protection + if(isset($_SERVER['HTTP_REFERER'])) $referer=$_SERVER['HTTP_REFERER']; else $referer=''; + if(isset($_SERVER['HTTPS']) and $_SERVER['HTTPS']<>'') $protocol='https://'; else $protocol='http://'; + $server=$protocol.$_SERVER['SERVER_NAME']; + if(($_SERVER['REQUEST_METHOD']=='POST') and (substr($referer,0,strlen($server))<>$server)) { + $url = $protocol.$_SERVER['SERVER_NAME'].OC::$WEBROOT.'/index.php'; + header("Location: $url"); + exit(); + } + self::initSession(); self::initTemplateEngine(); self::checkUpgrade(); diff --git a/lib/util.php b/lib/util.php index 0b8ea1ec907..b30b9dfd481 100644 --- a/lib/util.php +++ b/lib/util.php @@ -253,6 +253,9 @@ class OC_Util { } else { $parameters["username"] = ''; } + $sectoken=rand(1000000,9999999); + $_SESSION['sectoken']=$sectoken; + $parameters["sectoken"] = $sectoken; OC_Template::printGuestPage("", "login", $parameters); } |