Skip to content
Permalink
Browse files Browse the repository at this point in the history
Tested CSRF fix for custom ports - it's working, also removed unneces…
…sary logging.
  • Loading branch information
anuko committed Apr 12, 2021
1 parent e77be7e commit e3f8222
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 6 deletions.
2 changes: 1 addition & 1 deletion WEB-INF/config.php.dist
Expand Up @@ -165,7 +165,7 @@ define('AUTH_MODULE', 'db');

// HTTP_TARGET - defines http target for cross site request forgery protection.
// It can be used when you access the application via a proxy.
// define('HTTP_TARGET', 'localhost');
// define('HTTP_TARGET', 'localhost:8080');


// Group managers can set monthly work hour quota for years between the following values.
Expand Down
5 changes: 1 addition & 4 deletions WEB-INF/lib/common.lib.php
Expand Up @@ -414,15 +414,12 @@ function ttMitigateCSRF() {
$origin = substr($origin, 0, $pos); // Leave host only.
}
}
error_log("origin: ".$origin);
$target = defined('HTTP_TARGET') ? HTTP_TARGET : $_SERVER['HTTP_HOST'];
error_log("target: ".$target);
if (strcmp($origin, $target)) {
error_log("Potential cross site request forgery. Origin: '$origin' does not match target: '$target'.");
return false; // Origin and target do not match,
return false; // Origin and target do not match.
}

// TODO: review and improve this function for custom ports.
return true;
}

Expand Down
2 changes: 1 addition & 1 deletion initialize.php
Expand Up @@ -13,7 +13,7 @@
ini_set('display_errors', 'Off');

// require_once('init_auth.php');
define("APP_VERSION", "1.19.27.5431");
define("APP_VERSION", "1.19.27.5432");
define("APP_DIR", dirname(__FILE__));
define("LIBRARY_DIR", APP_DIR."/WEB-INF/lib");
define("TEMPLATE_DIR", APP_DIR."/WEB-INF/templates");
Expand Down

0 comments on commit e3f8222

Please sign in to comment.