sbrl-github/Pepperminty-Wiki
sbrl-github/Pepperminty-Wiki
1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-22 16:33:00 +00:00
Code Activity

Display returnto URL above the login form if present to further mitigate CSRF issues

Browse source
This commit is contained in:
Starbeamrainbowlabs 2021-09-27 20:51:12 +01:00
parent 2e1e1d0535
commit 4f3a1c3757
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
2 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Changelog.md
View file

@ -4,6 +4,9 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
## v0.24-dev ## v0.24-dev
### Changed
- Display returnto URL above the login form if present to further mitigate CSRF issues
### Fixed ### Fixed
- [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome) - [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
- [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome) - [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)

2
modules/page-login.php
View file

@ -53,6 +53,8 @@ register_module([
$content .= "\t\t<p><em>Login failed.</em></p>\n"; $content .= "\t\t<p><em>Login failed.</em></p>\n";
if(isset($_GET["required"])) if(isset($_GET["required"]))
$content .= "\t\t<p><em>$settings->sitename requires that you login before continuing.</em></p>\n"; $content .= "\t\t<p><em>$settings->sitename requires that you login before continuing.</em></p>\n";
if(isset($_GET["returnto"]))
$content .= "\t\t<p>Login to be redirected to <code>".htmlentities($_GET["returnto"])."</code>.</p>";
$content .= "\t\t<form method='post' action='$login_form_action_url'> $content .= "\t\t<form method='post' action='$login_form_action_url'>
<label for='user'>Username:</label> <label for='user'>Username:</label>
<input type='text' name='user' id='user' autofocus /> <input type='text' name='user' id='user' autofocus />