frodovdr/raspap-webgui
1
0
Fork 0
mirror of https://github.com/billz/raspap-webgui.git synced 2025-03-01 10:31:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add CSRF token to password change page

Browse Source
This commit is contained in:
Joe Haig
2016-06-24 22:39:39 +01:00
parent f98af5c60b
commit 5c2492e785
3 changed files with 52 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
includes/admin.php
View File

@@ -13,26 +13,30 @@ function Status($message, $level='success', $dismissable=true) {
function DisplayAuthConfig($username, $password){
$status = '';
if (isset($_POST['UpdateAdminPassword'])) {
if (password_verify($_POST['oldpass'], $password)) {
$new_username=trim($_POST['username']);
if ($_POST['newpass'] != $_POST['newpassagain']) {
$status = Status('New passwords do not match', 'danger');
} else if ($new_username == '') {
$status = Status('Username must not be empty', 'danger');
} else {
if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
fwrite($auth_file, $new_username.PHP_EOL);
fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
fclose($auth_file);
$username = $new_username;
$status = Status('Admin password updated');
if (CSRFValidate()) {
if (password_verify($_POST['oldpass'], $password)) {
$new_username=trim($_POST['username']);
if ($_POST['newpass'] != $_POST['newpassagain']) {
$status = Status('New passwords do not match', 'danger');
} else if ($new_username == '') {
$status = Status('Username must not be empty', 'danger');
} else {
$status = Status('Failed to update admin password', 'danger');
if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
fwrite($auth_file, $new_username.PHP_EOL);
fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
fclose($auth_file);
$username = $new_username;
$status = Status('Admin password updated');
} else {
$status = Status('Failed to update admin password', 'danger');
}
}
} else {
$status = Status('Old password does not match', 'danger');
}
} else {
$status = Status('Old password does not match', 'danger');
}
} else {
// Log something
}
}
?>
<div class="row">
@@ -42,6 +46,7 @@ function DisplayAuthConfig($username, $password){
<div class="panel-body">
<p><?php echo $status; ?></p>
<form role="form" action="/?page=admin_conf" method="POST">
<?php CSRFToken() ?>
<div class="row">
<div class="form-group col-md-4">
<label for="username">Username</label>