lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-15 00:54:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

system: add product title to auth pages; closes #5196

Browse Source 
While here get rid of fake HTTP response code in error page.
Need to add jQuery as well for CSRF injection.
This commit is contained in:
Franco Fichtner 2021-09-06 11:00:09 +02:00
parent 4c4266045e
commit a99a6549eb
2 changed files with 18 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/etc/inc/auth.inc
View File

@ -100,7 +100,7 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][
if ($found_host == false) {
if (!security_checks_disabled()) {
display_error_form("501", sprintf(gettext("A potential %sDNS Rebind attack%s has been detected.%sTry to access the router by IP address instead of by hostname."), '<a href="http://en.wikipedia.org/wiki/DNS_rebinding">', '</a>', '<br />'));
display_error_form(sprintf(gettext("A potential %sDNS Rebind attack%s has been detected.%sTry to access the router by IP address instead of by hostname."), '<a href="http://en.wikipedia.org/wiki/DNS_rebinding">', '</a>', '<br />'));
exit;
}
$security_passed = false;
@ -169,7 +169,7 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][
}
if ($found_host == false) {
if (!security_checks_disabled()) {
display_error_form('501', sprintf(
display_error_form(sprintf(
gettext('The HTTP_REFERER "%s" does not match the predefined settings. You can disable this check if needed under System: Settings: Administration.'),
html_safe($_SERVER['HTTP_REFERER'])
));

31
src/etc/inc/authgui.inc
View File

@ -204,7 +204,7 @@ set_language();
/*
* redirect to first allowed page if requesting a wrong url
*/
if ($_SERVER['REQUEST_URI'] == '/') {
if ($_SERVER['REQUEST_URI'] == '/') {
$page = '/index.php';
} else {
/* reconstruct page uri to use actual script location, mimic realpath() behaviour */
@ -228,7 +228,7 @@ if ($_SESSION['Username'] != 'root' && !$acl->isPageAccessible($_SESSION['Userna
header(url_safe("Location: /{$page}"));
exit;
} else {
display_error_form("201", gettext("No page assigned to this user! Click here to logout."));
display_error_form(gettext('No page assigned to this user! Click here to logout.'));
exit;
}
}
@ -236,8 +236,10 @@ if ($_SESSION['Username'] != 'root' && !$acl->isPageAccessible($_SESSION['Userna
/*
* determine if the user is allowed access to the requested page
*/
function display_error_form($http_code, $desc)
function display_error_form($text)
{
global $g;
$themename = htmlspecialchars(get_current_theme());
?><!doctype html>
@ -255,26 +257,25 @@ function display_error_form($http_code, $desc)
<meta name="copyright" content="" />
<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
<title><?=$http_code?></title>
<title><?= gettext('Error') ?> | <?= $g['product_name'] ?></title>
<link href="<?= cache_safe("/ui/themes/{$themename}/build/css/main.css") ?>" rel="stylesheet">
<link href="<?= cache_safe("/ui/themes/{$themename}/build/images/favicon.png") ?>" rel="shortcut icon">
<script src="/ui/js/jquery-3.5.1.min.js"></script>
<!--[if lt IE 9]><script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.2/html5shiv.min.js"></script><![endif]-->
</head>
<body class="page-login">
<div id="errordesc">
<h1>&nbsp;</h1>
<a href="/index.php?logout">
<p id="errortext" style="vertical-align: middle; text-align: center;">
<span style="color: #000000; font-weight: bold;">
<?=$desc;?>
</span>
<div id=container">
<p>&nbsp;</p>
<p style="text-align: center;">
<a href="/index.php?logout"><?= $text ?></a>
</p>
</div>
</body>
</html><?php
} // end function
</html>
<?php }
function display_login_form($Login_Error)
{
@ -318,7 +319,7 @@ function display_login_form($Login_Error)
<meta name="copyright" content="" />
<meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
<title><?=gettext("Login"); ?></title>
<title><?= gettext('Login') ?> | <?= $g['product_name'] ?></title>
<link href="<?= cache_safe("/ui/themes/{$themename}/build/css/main.css") ?>" rel="stylesheet">
<link href="<?= cache_safe("/ui/themes/{$themename}/build/images/favicon.png") ?>" rel="shortcut icon">
@ -390,4 +391,4 @@ function display_login_form($Login_Error)
</body>
</html>
<?php } // end function
<?php }