Главная Обзор Помощь
Вход
yosoyhendrix
/
hestiacp
зеркало из https://github.com/hestiacp/hestiacp
1
0
Ответвить 0
Файлы Задачи 0 Вики
Просмотр исходного кода

Fix an issue where a long text could by by pass 2FA check (#5203)

Thanks to PHP and the exec function
Jaap Marcus 2 месяцев назад
Родитель
f47ef7fe0b
Сommit
c148ff7a09
1 измененных файлов с 40 добавлено и 31 удалено
Единый вид Показать статистику Diff
  1. 40 31
      web/login/index.php

+ 40 - 31
web/login/index.php
Просмотреть файл 

@@ -281,42 +281,51 @@ function authenticate_user($user, $password, $twofa = "") {
 
 						$_SESSION["login"]["password"] = $password;
 
 						$_SESSION["login"]["password"] = $password;
 
 						return false;
 
 						return false;
 
 					} else {
 
 					} else {
 
-						$v_twofa = quoteshellarg($twofa);
 
-						exec(
 
-							HESTIA_CMD . "v-check-user-2fa " . $v_user . " " . $v_twofa,
 
-							$output,
 
-							$return_var,
 
-						);
 
-						unset($output);
 
-						if ($return_var > 0) {
 
+						if (strlen($twofa) < 10) {
 
+							$v_twofa = quoteshellarg($twofa);
 
+							exec(
 
+								HESTIA_CMD . "v-check-user-2fa " . $v_user . " " . $v_twofa,
 
+								$output,
 
+								$return_var,
 
+							);
 
+							unset($output);
 
+							if ($return_var !== 0) {
 
+								sleep(2);
 
+								$error = _("Invalid or missing 2FA token");
 
+								$_SESSION["login"]["username"] = $user;
 
+								$_SESSION["login"]["password"] = $password;
 
+								$v_session_id = quoteshellarg($_POST["token"]);
 
+								if (isset($_SESSION["failed_twofa"])) {
 
+									//allow a few failed attemps before start of logging.
 
+									if ($_SESSION["failed_twofa"] > 2) {
 
+										exec(
 
+											HESTIA_CMD .
 
+												"v-log-user-login " .
 
+												$v_user .
 
+												" " .
 
+												$v_ip .
 
+												" failed " .
 
+												$v_session_id .
 
+												" " .
 
+												$v_user_agent .
 
+												' yes "Invalid or missing 2FA token"',
 
+											$output,
 
+											$return_var,
 
+										);
 
+									}
 
+									$_SESSION["failed_twofa"]++;
 
+								} else {
 
+									$_SESSION["failed_twofa"] = 1;
 
+								}
 
+								unset($_POST["twofa"]);
 
+								return $error;
 
+							}
 
+						} else {
 
 							sleep(2);
 
 							sleep(2);
 
 							$error = _("Invalid or missing 2FA token");
 
 							$error = _("Invalid or missing 2FA token");
 
 							$_SESSION["login"]["username"] = $user;
 
 							$_SESSION["login"]["username"] = $user;
 
 							$_SESSION["login"]["password"] = $password;
 
 							$_SESSION["login"]["password"] = $password;
 
 							$v_session_id = quoteshellarg($_POST["token"]);
 
 							$v_session_id = quoteshellarg($_POST["token"]);
 
-							if (isset($_SESSION["failed_twofa"])) {
 
-								//allow a few failed attemps before start of logging.
 
-								if ($_SESSION["failed_twofa"] > 2) {
 
-									exec(
 
-										HESTIA_CMD .
 
-											"v-log-user-login " .
 
-											$v_user .
 
-											" " .
 
-											$v_ip .
 
-											" failed " .
 
-											$v_session_id .
 
-											" " .
 
-											$v_user_agent .
 
-											' yes "Invalid or missing 2FA token"',
 
-										$output,
 
-										$return_var,
 
-									);
 
-								}
 
-								$_SESSION["failed_twofa"]++;
 
-							} else {
 
-								$_SESSION["failed_twofa"] = 1;
 
-							}
 
-							unset($_POST["twofa"]);
 
 							return $error;
 
 							return $error;
 
 						}
 
 						}
 
 					}
 
 					}