mirror of
https://github.com/sbrl/Pepperminty-Wiki.git
synced 2024-10-31 21:33:00 +00:00
login: regenerate sessiono token on login; make returnto sanitisation more intelligent
This commit is contained in:
parent
4f3a1c3757
commit
fa407ce99d
2 changed files with 12 additions and 6 deletions
|
@ -6,12 +6,14 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
- Display returnto URL above the login form if present to further mitigate CSRF issues
|
- Display returnto URL above the login form if present to further mitigate CSRF issues
|
||||||
|
- Improve `returnto` sanitisation to be more intelligent
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
|
- [security] Fixed an XSS vulnerability in the `format` GET parameter of the `stats` action (thanks, @JamieSlome)
|
||||||
- [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)
|
- [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)
|
||||||
- [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to)
|
- [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to)
|
||||||
- [security] Fixed XSS when the `action` GET param doesn't match a known action
|
- [security] Fixed XSS when the `action` GET param doesn't match a known action
|
||||||
|
- [security] Further avoid session fixation attacks by regenerating session ids after login (session cookies are already marked as `HttpOnly`)
|
||||||
|
|
||||||
|
|
||||||
## v0.23
|
## v0.23
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
register_module([
|
register_module([
|
||||||
"name" => "Login",
|
"name" => "Login",
|
||||||
"version" => "0.9.6",
|
"version" => "0.9.7",
|
||||||
"author" => "Starbeamrainbowlabs",
|
"author" => "Starbeamrainbowlabs",
|
||||||
"description" => "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.",
|
"description" => "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.",
|
||||||
"id" => "page-login",
|
"id" => "page-login",
|
||||||
|
@ -125,6 +125,11 @@ register_module([
|
||||||
|
|
||||||
// Success! :D
|
// Success! :D
|
||||||
|
|
||||||
|
// Avoid a session fixation attack
|
||||||
|
// Ref https://guides.codepath.com/websecurity/Session-Fixation
|
||||||
|
session_regenerate_id(true);
|
||||||
|
|
||||||
|
|
||||||
// Update the environment
|
// Update the environment
|
||||||
$env->is_logged_in = true;
|
$env->is_logged_in = true;
|
||||||
$env->user = $user;
|
$env->user = $user;
|
||||||
|
@ -155,12 +160,11 @@ register_module([
|
||||||
$_SESSION["$settings->sessionprefix-expiretime"] = time() + 60*60*24*30; // 30 days from now
|
$_SESSION["$settings->sessionprefix-expiretime"] = time() + 60*60*24*30; // 30 days from now
|
||||||
|
|
||||||
$returnto_redirect = $_GET["returnto"];
|
$returnto_redirect = $_GET["returnto"];
|
||||||
if(strpos($returnto_redirect, "?") === false) {
|
|
||||||
http_response_code(400);
|
$returnto_parsed = parse_url($returnto_redirect);
|
||||||
exit(page_renderer::render_main("Login error - $settings->sitename", "<p>Your credentials were correct, but the 'returnto' URL specified (in the <code>returnto</code> GET parameter) did not contain a question mark. To protect you from being redirected to another site, $settings->sitename only allows redirects that do not leave $settings->sitename.</p>"));
|
|
||||||
}
|
|
||||||
// Ensure that this redirect takes to only somewhere else in this site
|
// Ensure that this redirect takes to only somewhere else in this site
|
||||||
$returnto_redirect = substr($returnto_redirect, strpos($returnto_redirect, "?"));
|
$returnto_redirect = "?{$returnto_parsed["query"]}";
|
||||||
|
|
||||||
// Redirect to wherever the user was going
|
// Redirect to wherever the user was going
|
||||||
http_response_code(302);
|
http_response_code(302);
|
||||||
|
|
Loading…
Reference in a new issue