Skip to content

Commit

Permalink
fix: for issue #584
Browse files Browse the repository at this point in the history
  • Loading branch information
David McReynolds committed Aug 10, 2021
1 parent 15934fd commit 6164cd7
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 7 deletions.
40 changes: 33 additions & 7 deletions fuel/modules/fuel/controllers/Login.php
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
<?php
class Login extends CI_Controller {
require_once(FUEL_PATH.'/libraries/Fuel_base_controller.php');
class Login extends Fuel_base_controller {

public function __construct()
{
parent::__construct();
parent::__construct(false);

// for flash data
$this->load->library('session');
Expand Down Expand Up @@ -68,8 +69,14 @@ public function index()

if ( ! empty($_POST))
{
// XSS key check
if (!$this->_is_valid_csrf())
{
add_error(lang('error_csrf'));
}

// check if they are locked out out or not
if (isset($user_data['failed_login_timer']) AND (time() - $user_data['failed_login_timer']) < (int)$this->fuel->config('seconds_to_unlock'))
elseif (isset($user_data['failed_login_timer']) AND (time() - $user_data['failed_login_timer']) < (int)$this->fuel->config('seconds_to_unlock'))
{
$this->fuel_users_model->add_error(lang('error_max_attempts', $this->fuel->config('seconds_to_unlock')));
$user_data['failed_login_timer'] = time();
Expand Down Expand Up @@ -134,6 +141,8 @@ public function index()
$this->form_builder->set_fields($fields);
$this->form_builder->remove_js();
if (!empty($_POST)) $this->form_builder->set_field_values($this->input->post(NULL, TRUE));
$this->_prep_csrf();

$vars['form'] = $this->form_builder->render();

// set any errors that
Expand Down Expand Up @@ -170,7 +179,12 @@ public function pwd_reset()

if ( ! empty($_POST))
{
if (isset($user_data['failed_login_timer']) AND (time() - $user_data['failed_login_timer']) < (int)$this->fuel->config('seconds_to_unlock'))
// XSS key check
if (!$this->_is_valid_csrf())
{
add_error(lang('error_csrf'));
}
elseif (isset($user_data['failed_login_timer']) AND (time() - $user_data['failed_login_timer']) < (int)$this->fuel->config('seconds_to_unlock'))
{
$this->fuel_users_model->add_error(lang('error_max_attempts', $this->fuel->config('seconds_to_unlock')));
$user_data['failed_login_timer'] = time();
Expand Down Expand Up @@ -238,6 +252,7 @@ public function pwd_reset()

$this->form_builder->show_required = FALSE;
$this->form_builder->set_fields($fields);
$this->_prep_csrf();

$vars['form'] = $this->form_builder->render();

Expand Down Expand Up @@ -308,7 +323,12 @@ public function reset_password()

if ( ! empty($_POST))
{
if ($this->input->post('email') && $this->input->post('password') && $this->input->post('password_confirm') && $this->input->post('_token'))
// XSS key check
if (!$this->_is_valid_csrf())
{
add_error(lang('error_csrf'));
}
elseif ($this->input->post('email') && $this->input->post('password') && $this->input->post('password_confirm') && $this->input->post('_token'))
{
$this->load->library('user_agent');

Expand Down Expand Up @@ -351,6 +371,7 @@ public function reset_password()

$this->form_builder->show_required = FALSE;
$this->form_builder->set_fields($fields);
$this->_prep_csrf();

$vars['form'] = $this->form_builder->render();

Expand All @@ -368,7 +389,12 @@ public function dev()

if ( ! empty($_POST))
{
if ( ! $this->fuel->config('dev_password'))
// XSS key check
if (!$this->_is_valid_csrf())
{
add_error(lang('error_csrf'));
}
elseif ( ! $this->fuel->config('dev_password'))
{
redirect('');
}
Expand All @@ -391,8 +417,8 @@ public function dev()
$this->form_builder->show_required = FALSE;
$this->form_builder->submit_value = 'Login';
$this->form_builder->set_fields($fields);

if ( ! empty($_POST)) $this->form_builder->set_field_values($this->input->post(NULL, TRUE));
$this->_prep_csrf();

$vars['form'] = $this->form_builder->render();
$vars['notifications'] = $this->load->module_view(FUEL_FOLDER, '_blocks/notifications', $vars, TRUE);
Expand Down
1 change: 1 addition & 0 deletions fuel/modules/fuel/language/english/fuel_lang.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
$lang['error_max_attempts'] = 'Sorry, but your login information was incorrect and you are temporarily locked out. Please try again in %s seconds.';
$lang['error_empty_user_pwd'] = 'Please enter in a user name and password.';
$lang['error_pwd_reset'] = 'There was an error in resetting your password.';
$lang['error_csrf'] = 'Invalid submission.';

$lang['error_pwd_too_short'] = 'Password entered does not meet the %1s character min length requirement.';
$lang['error_pwd_too_long'] = 'Password entered exceeds the %1s character max length requirement.';
Expand Down

0 comments on commit 6164cd7

Please sign in to comment.