Remediate injection on internal auth login

2021-08-05 21:15:59 -04:00 · 2021-08-05 21:15:59 -04:00 · 11657016ad
commit 11657016ad
parent 8c3cc16d5d
2 changed files with 6 additions and 6 deletions
--- a/js/pdfmake.min.js
+++ b/js/pdfmake.min.js
--- a/login.php
+++ b/login.php
@ -84,8 +84,8 @@
      header("X-Frame-Options: SAMEORIGIN");
      header("X-Content-Type-Options: nosniff");
      //header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
-      if (!empty($_GET['a'])) {
-        echo '<pre>' . print_r($_POST, true) . '</pre>';
+      if (!empty(filter_input(INPUT_GET, 'a', FILTER_SANITIZE_SPECIAL_CHARS))) {
+        //echo '<pre>' . print_r($_POST, true) . '</pre>';
        echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');
      }
    ?>
@ -97,9 +97,9 @@
 require_once("src/Misc/PasswordHash.php");
 $hasher = new PasswordHash(8, FALSE);
 // compare if posted
-if (!empty($_POST)):
-    $user = $Users->loginUser($_POST['username']);
-    if ($user && $user[0]["users_password"] == $hasher->CheckPassword($_POST['password'], $user[0]["users_password"])):
+if (!empty(filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS))):
+    $user = $Users->loginUser(filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS));
+    if ($user && $user[0]["users_password"] == $hasher->CheckPassword(filter_input(INPUT_POST, 'password', FILTER_SANITIZE_SPECIAL_CHARS), $user[0]["users_password"])):
        session_regenerate_id();
        $_SESSION['user_id']   = $user[0]["users_id"];
        $_SESSION['loggedIn']  = TRUE;