RanchiMall/php-mpos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Cleaned up logic of login page csrf protection

Browse Source 
added csrf protection to register page
This commit is contained in:
xisi 2014-01-16 23:48:38 -05:00
parent 6da5510035
commit 58529547e0
5 changed files with 27 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
public/include/config/global.inc.dist.php
View File

@ -138,17 +138,20 @@ $config['twofactor']['options']['changepw'] = true;
* sitewide = Require a valid CSRF token for all forms, does not override specific form settings
* leadtime = Length of time in seconds to give as leeway between minute switches
* login = Use and check login-specific CSRF token
* register = Use and check register-specific CSRF token
*
* Default:
* enabled = true
* sitewide = true
* leadtime = 3
* login = true
* register = true
*/
$config['csrf']['enabled'] = true;
$config['csrf']['sitewide'] = true;
$config['csrf']['options']['leadtime'] = 3;
$config['csrf']['forms']['login'] = true;
$config['csrf']['forms']['register'] = true;
/**
* Lock account after maximum failed logins

8
public/include/pages/login.inc.php
View File

@ -21,6 +21,11 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena
}
}
// csrf if enabled
if ($config['csrf']['enabled'] && $config['csrf']['forms']['login']) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'login') == @$_POST['ctoken']) ? 1 : 0;
}
if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST['username']))) {
$_SESSION['POPUP'][] = array('CONTENT' => 'You are not allowed to login during maintenace.', 'TYPE' => 'info');
} else if (!empty($_POST['username']) && !empty($_POST['password'])) {
@ -52,9 +57,6 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserId($_POST
} else {
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');
}
} else if ($nocsrf == 0) {
$img = "<img src='site_assets/mpos/images/questionmark.png' title='Tokens are used to help us mitigate attacks; Simply login again to continue' width='20px' height='20px'>";
$_SESSION['POPUP'][] = array('CONTENT' => "Login token expired, please try again $img", 'TYPE' => 'info');
}
}
// Load login template

2
public/include/pages/register.inc.php
View File

@ -18,7 +18,7 @@ if ($setting->getValue('lock_registration') && $setting->getValue('disable_invit
$smarty->assign("CONTENT", "default.tpl");
// csrf token
if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'register');
$token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH');
$smarty->assign('CTOKEN', $token);
}
}

19
public/include/pages/register/register.inc.php
View File

@ -14,6 +14,12 @@ if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_ena
);
$smarty->assign("RECAPTCHA", recaptcha_get_html($setting->getValue('recaptcha_public_key'), $rsp->error, true));
if (!$rsp->is_valid) $_SESSION['POPUP'][] = array('CONTENT' => 'Invalid Captcha, please try again.', 'TYPE' => 'errormsg');
$recaptcha = ($rsp->isvalid) ? 1 : 0;
}
// csrf if enabled
if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
$nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH') == $_POST['ctoken']) ? 1 : 0;
}
if ($setting->getValue('disable_invitations') && $setting->getValue('lock_registration')) {
@ -21,8 +27,12 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist
} else if ($setting->getValue('lock_registration') && !$setting->getValue('disable_invitations') && !isset($_POST['token'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Only invited users are allowed to register.', 'TYPE' => 'errormsg');
} else {
// Check if recaptcha is enabled, process form data if valid or disabled
if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) {
// Check if csrf is enabled and fail if token is invalid
if (!$nocsrf && $config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
$img = "<img src='site_assets/mpos/images/questionmark.png' title='Tokens are used to help us mitigate attacks; Simply login again to continue' width='20px' height='20px'>";
$_SESSION['POPUP'][] = array('CONTENT' => "Register token expired, please try again $img", 'TYPE' => 'info');
} else if ($setting->getValue('recaptcha_enabled') != 1 || $setting->getValue('recaptcha_enabled_registrations') != 1 || $rsp->is_valid) {
// Check if recaptcha is enabled, process form data if valid or disabled
isset($_POST['token']) ? $token = $_POST['token'] : $token = '';
if ($user->register(@$_POST['username'], @$_POST['password1'], @$_POST['password2'], @$_POST['pin'], @$_POST['email1'], @$_POST['email2'], @$_POST['tac'], $token)) {
! $setting->getValue('accounts_confirm_email_disabled') ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
@ -34,4 +44,9 @@ if ($setting->getValue('disable_invitations') && $setting->getValue('lock_regist
// We load the default registration template instead of an action specific one
$smarty->assign("CONTENT", "../default.tpl");
// csrf token
if ($config['csrf']['enabled'] && $config['csrf']['forms']['register']) {
$token = $csrftoken->getBasic($user->getCurrentIP(), 'register', 'mdyH');
$smarty->assign('CTOKEN', $token);
}
?>

1
public/templates/mpos/register/default.tpl
View File

@ -7,6 +7,7 @@
{if $smarty.request.token|default:""}
<input type="hidden" name="token" value="{$smarty.request.token|escape}" />
{/if}
{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.forms.register}<input type="hidden" name="ctoken" value="{$CTOKEN}" />{/if}
<input type="hidden" name="action" value="register">
<fieldset>
<label>Username</label>