Merge pull request #60 from Vilican/master

Security fixes
pull/79/head
David Goodwin 7 years ago committed by GitHub
commit 8bb6000072

@ -23,10 +23,10 @@
*
* fUsername
* fPassword
* token
* lang
*/
define('POSTFIXADMIN_LOGOUT', 1);
require_once('common.php');
if($CONF['configured'] !== true) {
@ -38,6 +38,9 @@ check_db_version(); # check if the database layout is up to date (and error out
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
$lang = safepost('lang');
$fUsername = trim(safepost('fUsername'));
$fPassword = safepost('fPassword');
@ -49,7 +52,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
$h = new AdminHandler;
if ( $h->login($fUsername, $fPassword) ) {
session_regenerate_id();
session_regenerate_id(true);
$_SESSION['sessid'] = array();
$_SESSION['sessid']['roles'] = array();
$_SESSION['sessid']['roles'][] = 'admin';
@ -82,6 +85,8 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
}
}
$_SESSION['PFA_token'] = md5(uniqid(rand(), true));
$smarty->assign ('language_selector', language_selector(), false);
$smarty->assign ('smarty_template', 'login');
$smarty->assign ('logintype', 'admin');

@ -1,8 +1,8 @@
<!-- {$smarty.template} -->
<div id="footer">
<a target="_blank" href="http://postfixadmin.sf.net/">Postfix Admin {$version}</a>
<a target="_blank" rel="noopener" href="http://postfixadmin.sf.net/">Postfix Admin {$version}</a>
<span id="update-check">&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;
<a target="_blank" href="http://postfixadmin.sf.net/update-check.php?version={$version|escape:"url"}">{$PALANG.check_update}</a></span>
<a target="_blank" rel="noopener" href="http://postfixadmin.sf.net/update-check.php?version={$version|escape:"url"}">{$PALANG.check_update}</a></span>
{if isset($smarty.session.sessid)}
{if $smarty.session.sessid.username}
&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;
@ -11,7 +11,7 @@
{/if}
{if $CONF.show_footer_text == 'YES' && $CONF.footer_link}
&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;
<a href="{$CONF.footer_link}">{$CONF.footer_text}</a>
<a href="{$CONF.footer_link}" rel="noopener">{$CONF.footer_text}</a>
{/if}
</div>
</div>

@ -1,5 +1,6 @@
<div id="login">
<form name="frmLogin" method="post" action="">
<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
<table id="login_table" cellspacing="10">
<tr>
<th colspan="2">

@ -23,17 +23,20 @@
*
* fUsername
* fPassword
* token
* lang
*/
$rel_path = '../';
define('POSTFIXADMIN_LOGOUT', 1);
require_once("../common.php");
check_db_version(); # check if the database layout is up to date (and error out if not)
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
$lang = safepost('lang');
$fUsername = trim(safepost('fUsername'));
$fPassword = safepost('fPassword');
@ -45,7 +48,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
$h = new MailboxHandler();
if($h->login($fUsername, $fPassword)) {
session_regenerate_id();
session_regenerate_id(true);
$_SESSION['sessid'] = array();
$_SESSION['sessid']['roles'] = array();
$_SESSION['sessid']['roles'][] = 'user';
@ -59,6 +62,8 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
}
}
$_SESSION['PFA_token'] = md5(uniqid(rand(), true));
$smarty->assign ('language_selector', language_selector(), false);
$smarty->assign ('smarty_template', 'login');
$smarty->assign ('logintype', 'user');

Loading…
Cancel
Save