mirror of
https://github.com/vichan-devel/vichan.git
synced 2024-12-18 02:16:03 +01:00
Merge pull request #746 from Zankaria/secure-login-triple
Rework secure_login_only configuration option to allow secure default and header checking
This commit is contained in:
commit
7899476323
@ -194,8 +194,13 @@
|
||||
// Whether or not you can access the mod cookie in JavaScript. Most users should not need to change this.
|
||||
$config['cookies']['httponly'] = true;
|
||||
|
||||
// Do not allow logins via unencrypted HTTP. If your website uses HTTPS, turn this on.
|
||||
$config['cookies']['secure_login_only'] = false;
|
||||
// Do not allow logins via unsecure connections.
|
||||
// 0 = off. Allow logins on unencrypted HTTP connections. Should only be used in testing environments.
|
||||
// 1 = on, trust HTTP headers. Allow logins on (at least reportedly partial) HTTPS connections. Use this only if you
|
||||
// use a proxy, CDN or load balancer via an unencrypted connection. Be sure to filter 'HTTP_X_FORWARDED_PROTO' in
|
||||
// the remote server, since an attacker could inject the header from the client.
|
||||
// 2 = on, do not trust HTTP headers. Secure default, allow logins only on HTTPS connections.
|
||||
$config['cookies']['secure_login_only'] = 2;
|
||||
|
||||
// Used to salt secure tripcodes ("##trip") and poster IDs (if enabled).
|
||||
$config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba';
|
||||
|
@ -3,16 +3,14 @@ namespace Vichan\Functions\Net;
|
||||
|
||||
|
||||
/**
|
||||
* @param bool $trust_headers. If true, trust the `HTTP_X_FORWARDED_PROTO` header to check if the connection is HTTPS.
|
||||
* @return bool Returns if the client-server connection is an encrypted one (HTTPS).
|
||||
*/
|
||||
function is_connection_secure(): bool {
|
||||
function is_connection_secure(bool $trust_headers): bool {
|
||||
if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
|
||||
return true;
|
||||
}
|
||||
elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
|
||||
} elseif ($trust_headers && isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
|
||||
return true;
|
||||
}
|
||||
else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
@ -118,7 +118,7 @@ function setCookies(): void {
|
||||
error('setCookies() was called for a non-moderator!');
|
||||
}
|
||||
|
||||
$is_https = Net\is_connection_secure();
|
||||
$is_https = Net\is_connection_secure($config['cookies']['secure_login_only'] === 1);
|
||||
$is_path_jailed = $config['cookies']['jail'];
|
||||
$name = calc_cookie_name($is_https, $is_path_jailed, $config['cookies']['mod']);
|
||||
|
||||
@ -235,7 +235,7 @@ function make_secure_link_token(string $uri): string {
|
||||
function check_login(bool $prompt = false): void {
|
||||
global $config, $mod;
|
||||
|
||||
$is_https = Net\is_connection_secure();
|
||||
$is_https = Net\is_connection_secure($config['cookies']['secure_login_only'] === 1);
|
||||
$is_path_jailed = $config['cookies']['jail'];
|
||||
$expected_cookie_name = calc_cookie_name($is_https, $is_path_jailed, $config['cookies']['mod']);
|
||||
|
||||
|
@ -35,7 +35,8 @@ function mod_login($redirect = false) {
|
||||
|
||||
$args = [];
|
||||
|
||||
if ($config['cookies']['secure_login_only'] && !Net\is_connection_secure()) {
|
||||
$secure_login_mode = $config['cookies']['secure_login_only'];
|
||||
if ($secure_login_mode !== 0 && !Net\is_connection_secure($secure_login_mode === 1)) {
|
||||
$args['error'] = $config['error']['insecure'];
|
||||
} elseif (isset($_POST['login'])) {
|
||||
// Check if inputs are set and not empty
|
||||
|
Loading…
Reference in New Issue
Block a user