Do not expose CFG_GLPI on anonymous page

front/login.php

@@ -37,6 +37,7 @@
  * @since 0.85
  */
 
+use Glpi\Application\View\TemplateRenderer;
 use Glpi\Toolbox\Sanitizer;
 
 include('../inc/includes.php');
@@ -88,12 +89,9 @@
 if ($auth->login($login, $password, (isset($_REQUEST["noAUTO"]) ? $_REQUEST["noAUTO"] : false), $remember, $login_auth)) {
     Auth::redirectIfAuthenticated();
 } else {
-   // we have done at least a good login? No, we exit.
-    Html::nullHeader("Login", $CFG_GLPI["root_doc"] . '/index.php');
-    echo '<div class="center b">' . $auth->getErr() . '<br><br>';
-   // Logout whit noAUto to manage auto_login with errors
-    echo '<a href="' . $CFG_GLPI["root_doc"] . '/front/logout.php?noAUTO=1' .
-         str_replace("?", "&", $REDIRECT) . '">' . __('Log in again') . '</a></div>';
-    Html::nullFooter();
+    TemplateRenderer::getInstance()->display('pages/login_error.html.twig', [
+        'error'     => $auth->getErr(),
+        'login_url' => $CFG_GLPI["root_doc"] . '/front/logout.php?noAUTO=1' . str_replace("?", "&", $REDIRECT),
+    ]);
     exit();
 }

src/Html.php

@@ -6481,10 +6481,13 @@ public static function getCoreVariablesForJavascript(bool $full = false)
     {
         global $CFG_GLPI;
 
+        // prevent leak of data for non logged sessions
+        $full = $full && (Session::getLoginUserID(true) !== false);
+
         $cfg_glpi = "var CFG_GLPI  = {
-         'url_base': '" . (isset($CFG_GLPI['url_base']) ? $CFG_GLPI["url_base"] : '') . "',
-         'root_doc': '" . $CFG_GLPI["root_doc"] . "',
-      };";
+            'url_base': '" . (isset($CFG_GLPI['url_base']) ? $CFG_GLPI["url_base"] : '') . "',
+            'root_doc': '" . $CFG_GLPI["root_doc"] . "',
+        };";
 
         if ($full) {
             $debug = (isset($_SESSION['glpi_use_mode'])
@@ -6499,9 +6502,9 @@ public static function getCoreVariablesForJavascript(bool $full = false)
         $plugins_path = 'var GLPI_PLUGINS_PATH = ' . json_encode($plugins_path) . ';';
 
         return self::scriptBlock("
-         $cfg_glpi
-         $plugins_path
-      ");
+            $cfg_glpi
+            $plugins_path
+        ");
     }
 
     /**

templates/pages/login_error.html.twig

@@ -0,0 +1,57 @@
+{#
+ # ---------------------------------------------------------------------
+ #
+ # GLPI - Gestionnaire Libre de Parc Informatique
+ #
+ # http://glpi-project.org
+ #
+ # @copyright 2015-2022 Teclib' and contributors.
+ # @copyright 2003-2014 by the INDEPNET Development Team.
+ # @licence   https://www.gnu.org/licenses/gpl-3.0.html
+ #
+ # ---------------------------------------------------------------------
+ #
+ # LICENSE
+ #
+ # This file is part of GLPI.
+ #
+ # This program is free software: you can redistribute it and/or modify
+ # it under the terms of the GNU General Public License as published by
+ # the Free Software Foundation, either version 3 of the License, or
+ # (at your option) any later version.
+ #
+ # This program is distributed in the hope that it will be useful,
+ # but WITHOUT ANY WARRANTY; without even the implied warranty of
+ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ # GNU General Public License for more details.
+ #
+ # You should have received a copy of the GNU General Public License
+ # along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ #
+ # ---------------------------------------------------------------------
+ #}
+
+{% extends 'layout/page_card_notlogged.html.twig' %}
+
+{% block content_block %}
+<div class="alert alert-warning">
+    <div class="d-flex align-items-center">
+        <div class="me-4">
+            <i class="ti ti-alert-triangle fa-2x"></i>
+        </div>
+        <div>
+            <h4 class="alert-title">
+                {{ __("Error") }}
+            </h4>
+            <div>
+                {{ error }}
+            </div>
+
+            <a href="{{ login_url }}" class="btn btn-primary mt-3">
+                <i class="ti ti-login"></i>
+                <span>{{ __('Log in again') }}</span>
+            </a>
+        </div>
+    </div>
+</div>
+{% endblock %}