Point808/LobbySIO
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remediate other vulns

Browse Source
This commit is contained in:
Josh North 2021-08-09 12:08:40 -04:00
parent c54436b432
commit 8b1557bdb1
3 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
css/index.php
View File

@ -15,4 +15,11 @@
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION
ini_set('session.gc_probability', 1); // GC RATES
ini_set('session.gc_divisor', 100); // TIMES
ini_set('session.use_cookies', '1');
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '0');
ini_set('session.cookie_httponly', '0');
ini_set('session.cookie_samesite', 'Lax');

4
index.php
View File

@ -63,10 +63,10 @@
$session_user = $Users->getUserInfo($sessuserid, "1", "0"); }
if (isset($session_user)) { // GET UID OR SET TO KIOSK
$uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
$app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang'); // SETUP LANGUAGE
$app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // SETUP LANGUAGE
if(!isset($app_disp_lang)) {
$app_disp_lang=$StaticFunctions->getDefaultLanguage(); }
$siteidcookie = filter_input(INPUT_COOKIE, 'app_site'); // SETUP SITE
$siteidcookie = filter_input(INPUT_COOKIE, 'app_site', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // SETUP SITE
foreach($SiteInfo->getSite("0", $uid, "0", "0") as $arr) {
$lookup_array[$arr['sites_id']]=1; }
if(isset($lookup_array[$siteidcookie])) {

10
login.php
View File

@ -64,10 +64,10 @@
$session_user = $Users->getUserInfo($sessuserid, "1", "0"); }
if (isset($session_user)) { // GET UID OR SET TO KIOSK
$uid = $session_user["0"]["users_id"];} else { $uid = "2"; }
$app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang'); // SETUP LANGUAGE
$app_disp_lang = filter_input(INPUT_COOKIE, 'app_disp_lang', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // SETUP LANGUAGE
if(!isset($app_disp_lang)) {
$app_disp_lang=$StaticFunctions->getDefaultLanguage(); }
$siteidcookie = filter_input(INPUT_COOKIE, 'app_site'); // SETUP SITE
$siteidcookie = filter_input(INPUT_COOKIE, 'app_site', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // SETUP SITE
foreach($SiteInfo->getSite("0", $uid, "0", "0") as $arr) {
$lookup_array[$arr['sites_id']]=1; }
if(isset($lookup_array[$siteidcookie])) {
@ -84,7 +84,7 @@
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty(filter_input(INPUT_GET, 'a', FILTER_SANITIZE_SPECIAL_CHARS))) {
if (!empty(filter_input(INPUT_GET, 'a', FILTER_SANITIZE_FULL_SPECIAL_CHARS))) {
//echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');
}
@ -97,8 +97,8 @@
require_once("src/Misc/PasswordHash.php");
$hasher = new PasswordHash(8, FALSE);
// compare if posted
if (!empty(filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS))):
$user = $Users->loginUser(filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS));
if (!empty(filter_input(INPUT_POST, 'username', FILTER_SANITIZE_FULL_SPECIAL_CHARS))):
$user = $Users->loginUser(filter_input(INPUT_POST, 'username', FILTER_SANITIZE_FULL_SPECIAL_CHARS));
if ($user && $user[0]["users_password"] == $hasher->CheckPassword(filter_input(INPUT_POST, 'password', FILTER_SANITIZE_FULL_SPECIAL_CHARS), $user[0]["users_password"])):
session_regenerate_id();
$_SESSION['user_id'] = $user[0]["users_id"];