* use simple token in settings

(cherry picked from commit 866c34e2e0)
This commit is contained in:
Max Pozdeev 2021-09-20 12:30:00 +03:00
parent 9f78149fe1
commit f23ca43eea
3 changed files with 12 additions and 17 deletions

View file

@ -947,16 +947,6 @@ function getUserListsSimple()
return $a;
}
function check_token()
{
if (!need_auth()) return true;
if (!isset($_SESSION)) return true;
if (!isset($_SESSION['token'])) return true;
$headers = getallheaders();
if (!isset($headers['MTT-Token']) || $headers['MTT-Token'] != $_SESSION['token']) {
die("Access denied! Try to reload the page.");
}
}
?>

View file

@ -127,6 +127,16 @@ function access_token()
return $_SESSION['token'];
}
function check_token()
{
$token = access_token();
if ($token == '') return true;
$headers = getallheaders();
if (!isset($headers['MTT-Token']) || $headers['MTT-Token'] != $token) {
die("Access denied! Try to reload the page.");
}
}
function timestampToDatetime($timestamp)
{
$format = Config::get('dateformat') .' '. (Config::get('clock') == 12 ? 'g:i A' : 'H:i');

View file

@ -10,17 +10,13 @@ require_once('./init.php');
$lang = Lang::instance();
if ( !is_logged() )
{
if ( !is_logged() ) {
die("Access denied!<br/> Disable password protection or Log in.");
}
check_token();
if(isset($_POST['save']))
{
if (need_auth() && _post('_token') != hash('gost', session_id())) {
die("Access denied! Try to reload the settings page.");
}
$t = array();
$langs = getLangs();
Config::$params['lang']['options'] = array_keys($langs);
@ -181,7 +177,6 @@ header('Content-type:text/html; charset=utf-8');
<div id="settings_msg" style="display:none"></div>
<form id="settings_form" method="post" action="settings.php">
<input type="hidden" name="_token" value="<?php if(need_auth()) echo htmlspecialchars(hash('gost',session_id())) ?>">
<div class="mtt-settings-table">