sbrl-github/Pepperminty-Wiki
sbrl-github
/
Pepperminty-Wiki
mirror of https://github.com/sbrl/Pepperminty-Wiki.git
1
0
Fork 0
Code

Display returnto URL above the login form if present to further mitigate CSRF issues

This commit is contained in:
Starbeamrainbowlabs 2021-09-27 20:51:12 +01:00
parent 2e1e1d0535
commit 4f3a1c3757
Signed by: sbrl
GPG Key ID: 1BE5172E637709C2
2 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Changelog.md
View File

@ -4,6 +4,9 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
## v0.24-dev
### Changed
- Display returnto URL above the login form if present to further mitigate CSRF issues
### Fixed
- [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
- [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)

2
modules/page-login.php
View File

@ -53,6 +53,8 @@ register_module([
$content .= "\t\t<p><em>Login failed.</em></p>\n";
if(isset($_GET["required"]))
$content .= "\t\t<p><em>$settings->sitename requires that you login before continuing.</em></p>\n";
if(isset($_GET["returnto"]))
$content .= "\t\t<p>Login to be redirected to <code>".htmlentities($_GET["returnto"])."</code>.</p>";
$content .= "\t\t<form method='post' action='$login_form_action_url'>
<label for='user'>Username:</label>
<input type='text' name='user' id='user' autofocus />