mirror of
https://github.com/vichan-devel/vichan.git
synced 2024-11-24 07:30:10 +01:00
auth.php: disallow unencrypted logins by default
This commit is contained in:
parent
0c51d46cdf
commit
da4842eb7b
@ -33,6 +33,7 @@
|
||||
"inc/lock.php",
|
||||
"inc/queue.php",
|
||||
"inc/functions.php",
|
||||
"inc/functions/net.php",
|
||||
"inc/driver/http-driver.php",
|
||||
"inc/driver/log-driver.php",
|
||||
"inc/service/captcha-queries.php"
|
||||
|
@ -194,6 +194,10 @@
|
||||
// Whether or not you can access the mod cookie in JavaScript. Most users should not need to change this.
|
||||
$config['cookies']['httponly'] = true;
|
||||
|
||||
// Do not allow logins via unencrypted HTTP. Should only be changed in testing environments or if you connect to a
|
||||
// load-balancer without encryption.
|
||||
$config['cookies']['secure_login_only'] = true;
|
||||
|
||||
// Used to salt secure tripcodes ("##trip") and poster IDs (if enabled).
|
||||
$config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba';
|
||||
|
||||
@ -1252,6 +1256,7 @@
|
||||
// Moderator errors
|
||||
$config['error']['toomanyunban'] = _('You are only allowed to unban %s users at a time. You tried to unban %u users.');
|
||||
$config['error']['invalid'] = _('Invalid username and/or password.');
|
||||
$config['error']['insecure'] = _('Login on insecure connections is disabled.');
|
||||
$config['error']['notamod'] = _('You are not a mod…');
|
||||
$config['error']['invalidafter'] = _('Invalid username and/or password. Your user may have been deleted or changed.');
|
||||
$config['error']['malformed'] = _('Invalid/malformed cookies.');
|
||||
|
10
inc/functions/net.php
Normal file
10
inc/functions/net.php
Normal file
@ -0,0 +1,10 @@
|
||||
<?php
|
||||
namespace Vichan\Functions\Net;
|
||||
|
||||
|
||||
/**
|
||||
* @return bool Returns if the client-server connection is an encrypted one (HTTPS).
|
||||
*/
|
||||
function is_connection_secure(): bool {
|
||||
return !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off';
|
||||
}
|
@ -4,6 +4,8 @@
|
||||
* Copyright (c) 2010-2013 Tinyboard Development Group
|
||||
*/
|
||||
|
||||
use Vichan\Functions\Net;
|
||||
|
||||
defined('TINYBOARD') or exit;
|
||||
|
||||
// create a hash/salt pair for validate logins
|
||||
@ -118,7 +120,7 @@ function setCookies() {
|
||||
error('setCookies() was called for a non-moderator!');
|
||||
}
|
||||
|
||||
$is_https = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off';
|
||||
$is_https = Net\is_connection_secure();
|
||||
$is_path_jailed = $config['cookies']['jail'];
|
||||
$name = calc_cookie_name($is_https, $is_path_jailed, $config['cookies']['mod']);
|
||||
|
||||
@ -229,7 +231,8 @@ function make_secure_link_token($uri) {
|
||||
|
||||
function check_login($prompt = false) {
|
||||
global $config, $mod;
|
||||
$is_https = !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off';
|
||||
|
||||
$is_https = Net\is_connection_secure();
|
||||
$is_path_jailed = $config['cookies']['jail'];
|
||||
$expected_cookie_name = calc_cookie_name($is_https, $is_path_jailed, $config['cookies']['mod']);
|
||||
|
||||
|
@ -4,8 +4,11 @@
|
||||
* Copyright (c) 2010-2013 Tinyboard Development Group
|
||||
*/
|
||||
|
||||
use Vichan\Functions\Net;
|
||||
|
||||
defined('TINYBOARD') or exit;
|
||||
|
||||
|
||||
function mod_page($title, $template, $args, $subtitle = false) {
|
||||
global $config, $mod;
|
||||
|
||||
@ -29,9 +32,11 @@ function mod_page($title, $template, $args, $subtitle = false) {
|
||||
function mod_login($redirect = false) {
|
||||
global $config;
|
||||
|
||||
$args = array();
|
||||
$args = [];
|
||||
|
||||
if (isset($_POST['login'])) {
|
||||
if ($config['cookies']['secure_login_only'] && !Net\is_connection_secure()) {
|
||||
$args['error'] = $config['error']['insecure'];
|
||||
} elseif (isset($_POST['login'])) {
|
||||
// Check if inputs are set and not empty
|
||||
if (!isset($_POST['username'], $_POST['password']) || $_POST['username'] == '' || $_POST['password'] == '') {
|
||||
$args['error'] = $config['error']['invalid'];
|
||||
|
Loading…
Reference in New Issue
Block a user