mirror/webgui
1
0
Fork 0
mirror of https://github.com/unraid/webgui.git synced 2026-04-24 11:19:25 -05:00
Code Issues Packages Projects Releases Wiki Activity

Protect set-password with CSRF token

Browse Source
This commit is contained in:
bergware
2021-08-13 20:14:11 +02:00
parent 6961e0d53f
commit f3c862cde1
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
plugins/dynamix/include/set-password.php
+2 -1
View File
@@ -14,7 +14,7 @@ $POST_ERROR = '';
/**
* POST handler
*/
if (!empty($_POST['password']) && !empty($_POST['confirmPassword'])) {
if (!empty($_POST['password']) && !empty($_POST['confirmPassword']) && $_POST['csrf_token']==$var['csrf_token']) {
if ($_POST['password'] !== $_POST['confirmPassword']) return $POST_ERROR = $VALIDATION_MESSAGES['mismatch'];
if (strlen($_POST['password']) > $MAX_PASS_LENGTH) return $POST_ERROR = $VALIDATION_MESSAGES['maxLength'];
@@ -347,6 +347,7 @@ $THEME_DARK = in_array($display['theme'],['black','gray']);
<p class="error"><?=_('Please also ensure you have cookies enabled')?>.</p>
</noscript>
<form action="/login" method="POST" class="js-validate w-full flex flex-col">
<input type="hidden" name="csrf_token" value="<?=$var['csrf_token']?>">
<label for="password"><?= _('Username') ?></label>
<input name="username" type="text" value="root" disabled title="<?=_('Username not changeable')?>">