fix resending mail requests (#401)

ltb-project · Jul 24, 2024 · fd4feff · fd4feff
1 parent 234b399
commit fd4feff
Show file tree

Hide file tree

Showing 32 changed files with 108 additions and 2 deletions.
diff --git a/htdocs/index.php b/htdocs/index.php
@@ -386,6 +386,7 @@
 if (isset($question)) { $smarty->assign('question', $question); }
 
 if (isset($login)) { $smarty->assign('login', $login); }
+if (isset($formtoken)) { $smarty->assign('formtoken', $formtoken); }
 if (isset($usermail)) { $smarty->assign('usermail', $usermail); }
 if (isset($displayname[0])) { $smarty->assign('displayname', $displayname[0]); }
 if (isset($encrypted_sms_login)) { $smarty->assign('encrypted_sms_login', $encrypted_sms_login); }

diff --git a/htdocs/sendtoken.php b/htdocs/sendtoken.php
@@ -32,6 +32,7 @@
 $userdn = "";
 $token = "";
 $usermail = "";
+$formtoken = "";
 
 if (!$mail_address_use_ldap) {
     if (isset($_POST["mail"]) and $_POST["mail"]) {
@@ -48,7 +49,26 @@
 if (isset($_REQUEST["login"]) and $_REQUEST["login"]) { $login = strval($_REQUEST["login"]);}
 else { $result = "loginrequired";}
 
-if (! isset($_POST["mail"]) and ! isset($_REQUEST["login"])) { $result = "emptysendtokenform"; }
+if ( $result === "" and ( ! isset($_REQUEST["formtoken"]) or ! $_REQUEST["formtoken"] )  ) {
+    $result = "missingformtoken";
+}
+
+if (! isset($_POST["mail"]) and ! isset($_REQUEST["login"])) {
+
+    $result = "emptysendtokenform";
+
+    # Generate formtoken
+    ini_set("session.use_cookies",0);
+    ini_set("session.use_only_cookies",1);
+    ini_set("session.use_strict_mode",0);
+    session_name("formtoken");
+    session_id(session_create_id());
+    session_start();
+    $formtoken = session_id();
+    $_SESSION['formtoken'] = $formtoken;
+    error_log("generated token: " . $formtoken);
+    session_write_close();
+}
 
 # Check the entered username for characters that our installation doesn't support
 if ( $result === "" ) {
@@ -162,14 +182,42 @@
     } else {
         $token = session_id();
     }
+    session_write_close();
+}
+
 
+#==============================================================================
+# Check tokenform
+#==============================================================================
+
+if ( !$result ) {
+    $formtoken = strval($_REQUEST["formtoken"]);
+    ini_set("session.use_cookies",0);
+    ini_set("session.use_only_cookies",1);
+    ini_set("session.use_strict_mode",0);
+    session_name("formtoken");
+    session_id($formtoken);
+    session_start();
+    if( $_SESSION['formtoken'] == $formtoken )
+    {
+        # Remove session
+        session_unset();
+        session_destroy();
+    }
+    else
+    {
+        error_log("Invalid form token: sent: $formtoken, stored: " . $_SESSION['formtoken']);
+        $result = "invalidformtoken";
+    }
+    session_write_close();
 }
 
 #==============================================================================
 # Send token by mail
 #==============================================================================
 if ( !$result ) {
 
+
     $reset_url .= "?action=resetbytoken&token=".urlencode($token);
 
     if ( !empty($reset_request_log) ) {

diff --git a/lang/ar.inc.php b/lang/ar.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "رقم الرسائل القصيرة لا يتطابق مع اسم المستخدم.";
 $messages['sameasaccountpassword'] = "كلمة المرور الجديدة مطابقة لكلمة مرور تسجيل الدخول";
 $messages['policynoreusecustompwdfield'] = "لا يجب ان تكون كلمة المرور الجديدة هي نفسها كلمة مرور تسجيل الدخول";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/ca.inc.php b/lang/ca.inc.php
@@ -181,3 +181,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/cn.inc.php b/lang/cn.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/cs.inc.php b/lang/cs.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/de.inc.php b/lang/de.inc.php
@@ -179,3 +179,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/ee.inc.php b/lang/ee.inc.php
@@ -178,3 +178,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/el.inc.php b/lang/el.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/en.inc.php b/lang/en.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/es.inc.php b/lang/es.inc.php
@@ -179,3 +179,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/eu.inc.php b/lang/eu.inc.php
@@ -177,3 +177,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/fr.inc.php b/lang/fr.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "Le numéro de téléphone ne correspond pas à l'identifiant donné.";
 $messages['sameasaccountpassword'] = "Votre nouveau mot de passe est identique à votre mot de passe de connexion";
 $messages['policynoreusecustompwdfield'] = "Votre nouveau mot de passe ne devrait pas être le même que le mot de passe de connexion";
+$messages['missingformtoken'] = "Jeton manquant";
+$messages['invalidformtoken'] = "Jeton invalide";
diff --git a/lang/hu.inc.php b/lang/hu.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/it.inc.php b/lang/it.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/ja.inc.php b/lang/ja.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/nb-NO.inc.php b/lang/nb-NO.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/nl.inc.php b/lang/nl.inc.php
@@ -178,3 +178,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/pl.inc.php b/lang/pl.inc.php
@@ -178,3 +178,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/pt-BR.inc.php b/lang/pt-BR.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/pt-PT.inc.php b/lang/pt-PT.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/rs.inc.php b/lang/rs.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/ru.inc.php b/lang/ru.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/sk.inc.php b/lang/sk.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/sl.inc.php b/lang/sl.inc.php
@@ -181,3 +181,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/sv.inc.php b/lang/sv.inc.php
@@ -181,3 +181,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/tr.inc.php b/lang/tr.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/uk.inc.php b/lang/uk.inc.php
@@ -177,3 +177,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/zh-CN.inc.php b/lang/zh-CN.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lang/zh-TW.inc.php b/lang/zh-TW.inc.php
@@ -176,3 +176,5 @@
 $messages['smsnomatch'] = "The SMS number does not match the submitted login.";
 $messages['sameasaccountpassword'] = "Your new password is identical to your login password";
 $messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password";
+$messages['missingformtoken'] = "Missing token";
+$messages['invalidformtoken'] = "Invalid token";
diff --git a/lib/functions.inc.php b/lib/functions.inc.php
@@ -60,7 +60,7 @@ function generate_sms_token( $sms_token_length ) {
 # Get message criticity
 function get_criticity( $msg ) {
 
-    if ( preg_match( "/nophpldap|phpupgraderequired|nophpmhash|nokeyphrase|ldaperror|nomatch|badcredentials|passworderror|tooshort|toobig|minlower|minupper|mindigit|minspecial|forbiddenchars|sameasold|answermoderror|answernomatch|mailnomatch|tokennotsent|tokennotvalid|notcomplex|smsnonumber|smscrypttokensrequired|nophpmbstring|nophpxml|smsnotsent|sameaslogin|pwned|invalidsshkey|sshkeyerror|specialatends|forbiddenwords|forbiddenldapfields|diffminchars|badquality|tooyoung|inhistory|throttle|attributesmoderror|insufficiententropy|noreseturl|nocrypttokens|smsnomatch|unknowncustompwdfield|sameascustompwd/" , $msg ) ) {
+    if ( preg_match( "/nophpldap|phpupgraderequired|nophpmhash|nokeyphrase|ldaperror|nomatch|badcredentials|passworderror|tooshort|toobig|minlower|minupper|mindigit|minspecial|forbiddenchars|sameasold|answermoderror|answernomatch|mailnomatch|tokennotsent|tokennotvalid|notcomplex|smsnonumber|smscrypttokensrequired|nophpmbstring|nophpxml|smsnotsent|sameaslogin|pwned|invalidsshkey|sshkeyerror|specialatends|forbiddenwords|forbiddenldapfields|diffminchars|badquality|tooyoung|inhistory|throttle|attributesmoderror|insufficiententropy|noreseturl|nocrypttokens|smsnomatch|unknowncustompwdfield|sameascustompwd|missingformtoken|invalidformtoken/" , $msg ) ) {
     return "danger";
     }
 

diff --git a/templates/sendtoken.tpl b/templates/sendtoken.tpl
@@ -20,6 +20,7 @@
             <div class="input-group">
                 <span class="input-group-text"><i class="fa fa-fw fa-user"></i></span>
                 <input type="text" name="login" id="login" value="{$login}" class="form-control" placeholder="{$msg_login}" autocomplete="off" />
+                <input type="hidden" name="formtoken" id="formtoken" value="{$formtoken}" />
             </div>
         </div>
     </div>