[gentoo-commits] proj/forums:origin/3.2.x commit in: phpBB/includes/, phpBB/, phpBB/styles/prosilver/template/

["Jimi Huotari" <chiitoo@gentoo.org>]

commit:     b8368980162392bf9f97496ecec18abe2bd34fad
Author:     Derky <derky <AT> phpbb <DOT> com>
AuthorDate: Fri Apr 26 10:08:37 2019 +0000
Commit:     Jimi Huotari <chiitoo <AT> gentoo <DOT> org>
CommitDate: Fri Apr 26 10:11:52 2019 +0000
URL:        https://gitweb.gentoo.org/proj/forums.git/commit/?id=b8368980

[ticket/security/228] Add form token to login box

SECURITY-228

 phpBB/includes/functions.php                    | 19 +++++++++++++++++--
 phpBB/index.php                                 |  3 +++
 phpBB/styles/prosilver/template/index_body.html |  1 +
 phpBB/styles/prosilver/template/login_body.html |  1 +
 4 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index e2ea7ad23..6df2ebaba 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -2268,6 +2268,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 	global $request, $phpbb_container, $phpbb_dispatcher, $phpbb_log;
 
 	$err = '';
+	$form_name = 'login';
 
 	// Make sure user->setup() has been called
 	if (!$user->is_setup())
@@ -2343,8 +2344,19 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 			trigger_error('NO_AUTH_ADMIN_USER_DIFFER');
 		}
 
-		// If authentication is successful we redirect user to previous page
-		$result = $auth->login($username, $password, $autologin, $viewonline, $admin);
+		// Check form key
+		if ($password && !check_form_key($form_name))
+		{
+			$result = array(
+				'status' => false,
+				'error_msg' => 'FORM_INVALID',
+			);
+		}
+		else
+		{
+			// If authentication is successful we redirect user to previous page
+			$result = $auth->login($username, $password, $autologin, $viewonline, $admin);
+		}
 
 		// If admin authentication and login, we will log if it was a success or not...
 		// We also break the operation on the first non-success login - it could be argued that the user already knows
@@ -2495,6 +2507,9 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 		));
 	}
 
+	// Add form token for login box
+	add_form_key($form_name, '_LOGIN');
+
 	$s_hidden_fields = build_hidden_fields($s_hidden_fields);
 
 	$login_box_template_data = array(

diff --git a/phpBB/index.php b/phpBB/index.php
index 13b914abd..5eee7723a 100644
--- a/phpBB/index.php
+++ b/phpBB/index.php
@@ -211,6 +211,9 @@ if ($show_birthdays)
 	$template->assign_block_vars_array('birthdays', $birthdays);
 }
 
+// Add form token for login box
+add_form_key('login', '_LOGIN');
+
 // Assign index specific vars
 $template->assign_vars(array(
 	'TOTAL_POSTS'	=> $user->lang('TOTAL_POSTS_COUNT', (int) $config['num_posts']),

diff --git a/phpBB/styles/prosilver/template/index_body.html b/phpBB/styles/prosilver/template/index_body.html
index b292c40eb..239a91c58 100644
--- a/phpBB/styles/prosilver/template/index_body.html
+++ b/phpBB/styles/prosilver/template/index_body.html
@@ -29,6 +29,7 @@
 			<!-- ENDIF -->
 			<input type="submit" tabindex="5" name="login" value="{L_LOGIN}" class="button2" />
 			{S_LOGIN_REDIRECT}
+			{S_FORM_TOKEN_LOGIN}
 		</fieldset>
 	</form>
 <!-- ENDIF -->

diff --git a/phpBB/styles/prosilver/template/login_body.html b/phpBB/styles/prosilver/template/login_body.html
index ef0803571..dc597af51 100644
--- a/phpBB/styles/prosilver/template/login_body.html
+++ b/phpBB/styles/prosilver/template/login_body.html
@@ -33,6 +33,7 @@
 		<!-- ENDIF -->
 
 		{S_LOGIN_REDIRECT}
+		{S_FORM_TOKEN_LOGIN}
 		<dl>
 			<dt>&nbsp;</dt>
 			<dd>{S_HIDDEN_FIELDS}<input type="submit" name="login" tabindex="6" value="{L_LOGIN}" class="button1" /></dd>