dbxe
/
fusionpbx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix the destination login alternate path

This commit is contained in:
FusionPBX 2025-02-05 18:09:08 -07:00 committed by GitHub
parent e21650fe4a
commit 9b0292f3d2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 22 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
resources/check_auth.php
View File

@ -17,7 +17,7 @@
The Initial Developer of the Original Code is The Initial Developer of the Original Code is
Mark J Crane <markjcrane@fusionpbx.com> Mark J Crane <markjcrane@fusionpbx.com>
Portions created by the Initial Developer are Copyright (C) 2008-2023 Portions created by the Initial Developer are Copyright (C) 2008-2025
the Initial Developer. All Rights Reserved. the Initial Developer. All Rights Reserved.
Contributor(s): Contributor(s):
@ -128,36 +128,47 @@
//if not authorized //if not authorized
if (empty($_SESSION['authorized']) || !$_SESSION['authorized']) { if (empty($_SESSION['authorized']) || !$_SESSION['authorized']) {
//log the failed auth attempt to the system to the syslog server //log the failed auth attempt to the system to the syslog server
openlog('FusionPBX', LOG_NDELAY, LOG_AUTH); openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$result["username"]); syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$result["username"]);
closelog(); closelog();
//redirect the user to the login page //redirect the user to the login page
$target_path = !empty($_REQUEST["path"]) ? $_REQUEST["path"] : $_SERVER["PHP_SELF"]; $target_path = !empty($_REQUEST["path"]) ? $_REQUEST["path"] : $_SERVER["PHP_SELF"];
message::add($text['message-authentication_failed'], 'negative'); message::add($text['message-authentication_failed'], 'negative');
header("Location: ".PROJECT_PATH."/?path=".urlencode($target_path)); header("Location: ".PROJECT_PATH."/?path=".urlencode($target_path));
exit; exit;
} }
//if logged in, redirect to login destination //if logged in, redirect to login destination
if (!isset($_REQUEST["key"])) { if (!isset($_REQUEST["key"])) {
//create database object
$database = database::new();
//connect to the settings object
$settings = new settings(['database' => $database, 'domain_uuid' => $domain_uuid, 'user_uuid' => $user_uuid]);
//redirect the user
if (isset($_SESSION['redirect_path'])) { if (isset($_SESSION['redirect_path'])) {
$redirect_path = $_SESSION['redirect_path']; $redirect_path = $_SESSION['redirect_path'];
unset($_SESSION['redirect_path']); unset($_SESSION['redirect_path']);
// prevent open redirect attacks. redirect url shouldn't contain a hostname // prevent open redirect attacks. redirect url shouldn't contain a hostname
$parsed_url = parse_url($redirect_path); $parsed_url = parse_url($redirect_path);
if ($parsed_url['host']) { if ($parsed_url['host']) {
die("Was someone trying to hack you?"); die("Was someone trying to hack you?");
} }
header("Location: ".$redirect_path); header("Location: ".$redirect_path);
exit;
} }
elseif (isset($_SESSION['login']['destination']['text'])) { elseif (!empty($settings->get('login', 'destination', ''))) {
header("Location: ".$_SESSION['login']['destination']['text']); header("Location: ".$settings->get('login', 'destination', ''));
exit;
} }
elseif (file_exists($_SERVER["PROJECT_ROOT"]."/core/dashboard/app_config.php")) { elseif (file_exists($_SERVER["PROJECT_ROOT"]."/core/dashboard/app_config.php")) {
header("Location: ".PROJECT_PATH."/core/dashboard/"); header("Location: ".PROJECT_PATH."/core/dashboard/");
exit;
} }
else { else {
require_once "resources/header.php"; require_once "resources/header.php";