release 1.2.11

webinterface/stats.php

@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
 }
 if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
 	ini_set('session.cookie_secure', 1);
-	header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
+	if(!headers_sent()) {
+		header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
+	}
 }
 session_start();
 
@@ -40,16 +42,20 @@ if (!isset($_SESSION[$rspathhex.'username']) || $_SESSION[$rspathhex.'username']
 	exit;
 }
 
-if (isset($_POST['update']) && $_POST['csrf_token'] != $_SESSION[$rspathhex.'csrf_token']) {
-	echo $lang['errcsrf'];
-	rem_session_ts3($rspathhex);
-	exit;
+require_once('nav.php');
+$csrf_token = bin2hex(openssl_random_pseudo_bytes(32));
+
+if ($mysqlcon->exec("INSERT INTO `$dbname`.`csrf_token` (`token`,`timestamp`,`sessionid`) VALUES ('$csrf_token','".time()."','".session_id()."')") === false) {
+	$err_msg = print_r($mysqlcon->errorInfo(), true);
+	$err_lvl = 3;
 }
 
-require_once('nav.php');
-
-if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
+if (($db_csrf = $mysqlcon->query("SELECT * FROM `$dbname`.`csrf_token` WHERE `sessionid`='".session_id()."'")->fetchALL(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
+	$err_msg = print_r($mysqlcon->errorInfo(), true);
+	$err_lvl = 3;
+}
 
+if (isset($_POST['update']) && isset($db_csrf[$_POST['csrf_token']])) {
 	if (isset($_POST['showexcld'])) $showexcld = 1; else $showexcld = 0;
 	if (isset($_POST['showcolrg'])) $showcolrg = 1; else $showcolrg = 0;
 	if (isset($_POST['showcolcld'])) $showcolcld = 1; else $showcolcld = 0;
@@ -72,9 +78,11 @@ if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $
         $err_msg = $lang['wisvsuc'];
 		$err_lvl = NULL;
     }
+} elseif(isset($_POST['update'])) {
+	echo '<div class="alert alert-danger alert-dismissible">',$lang['errcsrf'],'</div>';
+	rem_session_ts3($rspathhex);
+	exit;
 }
-
-$_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
 ?>
 		<div id="page-wrapper">
 <?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
@@ -82,12 +90,12 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
 				<div class="row">
 					<div class="col-lg-12">
 						<h1 class="page-header">
-							<?php echo $lang['wihlsty']; ?>
+							<?php echo $lang['winav6'],' ',$lang['wihlset']; ?>
 						</h1>
 					</div>
 				</div>
 				<form class="form-horizontal" name="update" method="POST">
-				<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
+				<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
 					<div class="row">
 						<div class="col-md-6">
 							<div class="panel panel-default">
@@ -502,4 +510,4 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
   </div>
 </div>
 </body>
-</html>
+</html>