Permalink
Browse files

Bugfix: XSS in print-user.php, CSRF in user-edit.php. Fixes #2326

  • Loading branch information...
GaryAllan committed Dec 1, 2018
1 parent ee5ef63 commit 552fbb0fc7ecb84bda4a131b4f290a3de9980040
@@ -133,7 +133,7 @@
</tr>
<tr>
<td><?php print _('Theme'); ?></td>
<td><?php print $user->theme=="" ? _("Default") : $user->theme ?></td>
<td><?php print $user->theme=="" ? _("Default") : escape_input($user->theme) ?></td>
</tr>
<tr>
<td><?php print _('Compress override'); ?></td>
@@ -49,6 +49,7 @@
<?php } ?>
</tr>
</table>
<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
</form>

<!-- result -->
@@ -20,6 +20,9 @@
# verify that user is logged in
$User->check_user_session();
# validate csrf cookie
$User->Crypto->csrf_cookie ("validate", "user-menu", $_POST['csrf_cookie']) === false ? $Result->show("danger", _("Invalid CSRF cookie"), true) : "";
# change ?
if(@$_POST['2fa']=="1" && $User->user->{'2fa'}=="1") {
$Result->show("info", _("No change"), true);
@@ -216,6 +216,7 @@
</tr>

</table>
<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
</form>


@@ -7,6 +7,9 @@
# verify that user is logged in
$User->check_user_session();
# create csrf token
$csrf = $User->Crypto->csrf_cookie ("create", "user-menu");
# fetch all languages
$langs = $User->fetch_langs();
@@ -20,6 +20,9 @@
# verify that user is logged in
$User->check_user_session();
# validate csrf cookie
$User->Crypto->csrf_cookie ("validate", "user-menu", $_POST['csrf_cookie']) === false ? $Result->show("danger", _("Invalid CSRF cookie"), true) : "";
# verify email
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) { $Result->show("danger alert-absolute", _('Email not valid!'), true); }
@@ -35,6 +38,11 @@
if (!$Password_check->validate ($_POST['password1'])) { $Result->show("danger alert-danger ", _('Password validation errors').":<br> - ".implode("<br> - ", $Password_check->get_errors ()), true); }
}
# Verify Theme
if (!empty($_POST['theme'])) {
if (!in_array($_POST['theme'], ['default', 'white', 'dark'])) { $Result->show("danger alert-absolute", _('Invalid theme'), true); }
}
# set override
$_POST['compressOverride'] = @$_POST['compressOverride']=="Uncompress" ? "Uncompress" : "default";
@@ -14,6 +14,9 @@
$Result = new Result;
$User = new User ($Database);
# verify that user is logged in
$User->check_user_session();
/* save widgets */
if (!$User->self_update_widgets ($_POST['widgets'])) { $Result->show("danger", _('Error updating'),true); }
else { $Result->show("success", _('Widgets updated'),true); }
@@ -50,6 +50,7 @@
+ Hide SNMP community (#2197);
+ Hide LDAP/AD/Radius username / password and secret from logs and syslog (#2006);
+ XSS in phpipamredirect cookie (#2338);
+ XSS in print-user.php, CSRF in user-edit.php (#2326);

== 1.3.2

0 comments on commit 552fbb0

Please sign in to comment.