Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Minor security improvements (#3034)
* Prevent iframe jacking
* Enforce nonce on admin login screen
  • Loading branch information
ozh committed Aug 24, 2021
1 parent 190d4ba commit 0a70acd
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 1 deletion.
1 change: 1 addition & 0 deletions admin/admin-ajax.php
Expand Up @@ -7,6 +7,7 @@
// This file will output a JSON string
yourls_content_type_header( 'application/json' );
yourls_no_cache_headers();
yourls_no_frame_header();

if( !isset( $_REQUEST['action'] ) )
die();
Expand Down
6 changes: 6 additions & 0 deletions includes/functions-auth.php
Expand Up @@ -122,6 +122,12 @@ function yourls_is_valid_user() {
*/
function yourls_check_username_password() {
global $yourls_user_passwords;

// If login form (not API), check for nonce
if(!yourls_is_API()) {
yourls_verify_nonce('admin_login');
}

if( isset( $yourls_user_passwords[ $_REQUEST['username'] ] ) && yourls_check_password_hash( $_REQUEST['username'], $_REQUEST['password'] ) ) {
yourls_set_user( $_REQUEST['username'] );
return true;
Expand Down
2 changes: 2 additions & 0 deletions includes/functions-html.php
Expand Up @@ -59,6 +59,7 @@ function yourls_html_head( $context = 'index', $title = '' ) {
// Force no cache for all admin pages
if( yourls_is_admin() && !headers_sent() ) {
yourls_no_cache_headers();
yourls_no_frame_header();
yourls_content_type_header( yourls_apply_filter( 'html_head_content-type', 'text/html' ) );
yourls_do_action( 'admin_headers', $context, $title );
}
Expand Down Expand Up @@ -725,6 +726,7 @@ function yourls_login_screen( $error_msg = '' ) {
yourls_do_action( 'login_form_bottom' );
?>
<p style="text-align: right;">
<?php yourls_nonce_field('admin_login'); ?>
<input type="submit" id="submit" name="submit" value="<?php yourls_e( 'Login' ); ?>" class="button" />
</p>
<?php
Expand Down
25 changes: 24 additions & 1 deletion includes/functions.php
Expand Up @@ -276,7 +276,30 @@ function yourls_no_cache_headers() {
}

/**
* Send a filerable content type header
* Send header to prevent display within a frame from another site (avoid clickjacking)
*
* This header makes it impossible for an external site to display YOURLS admin within a frame,
* which allows for clickjacking.
* See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
* This said, the whole function is shuntable : legit uses of iframes should be still possible.
*
* @since 1.8.1
* @return void|mixed
*/
function yourls_no_frame_header() {
// Allow plugins to short-circuit the whole function
$pre = yourls_apply_filter( 'shunt_no_frame_header', false );
if ( false !== $pre ) {
return $pre;
}

if( !headers_sent() ) {
header( 'X-Frame-Options: SAMEORIGIN' );
}
}

/**
* Send a filterable content type header
*
* @since 1.7
* @param string $type content type ('text/html', 'application/json', ...)
Expand Down

0 comments on commit 0a70acd

Please sign in to comment.