Skip to content

Commit 02d831e

Browse files
MorrisJobkeMorrisJobke
committed
Send the login form via POST
* replaces the headers to properly open the updater from within the settings without the use of eval() Signed-off-by: Morris Jobke <[email protected]>
1 parent 9b979ec commit 02d831e

File tree

1 file changed

+8
-24
lines changed

1 file changed

+8
-24
lines changed

index.php

Lines changed: 8 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1273,7 +1273,7 @@ public function logVersion() {
12731273
}
12741274

12751275
// Check for authentication
1276-
$password = isset($_SERVER['HTTP_X_UPDATER_AUTH']) ? $_SERVER['HTTP_X_UPDATER_AUTH'] : '';
1276+
$password = isset($_SERVER['HTTP_X_UPDATER_AUTH']) ? $_SERVER['HTTP_X_UPDATER_AUTH'] : (isset($_POST['updater-secret-input']) ? $_POST['updater-secret-input'] : '');
12771277
$auth = new Auth($updater, $password);
12781278

12791279
// Check if already a step is in process
@@ -1646,9 +1646,13 @@ public function logVersion() {
16461646
}
16471647

16481648
#login input {
1649-
padding: 5px;
16501649
border-radius: 3px;
16511650
border: 1px solid rgba(240,240,240,.9);
1651+
margin: 3px 3px 3px 0;
1652+
padding: 9px 6px;
1653+
font-size: 13px;
1654+
outline: none;
1655+
cursor: text;
16521656
}
16531657

16541658
.section {
@@ -1754,13 +1758,13 @@ public function logVersion() {
17541758
<code>php -r '$password = trim(shell_exec("openssl rand -base64 48"));if(strlen($password) === 64) {$hash = password_hash($password, PASSWORD_DEFAULT) . "\n"; echo "Insert as \"updater.secret\": ".$hash; echo "The plaintext value is: ".$password."\n";}else{echo "Could not execute OpenSSL.\n";};'</code>
17551759
<form method="post" name="login">
17561760
<fieldset>
1757-
<input type="password" id="updater-secret-input" value=""
1761+
<input type="password" name="updater-secret-input" value=""
17581762
placeholder="Secret"
17591763
autocomplete="on" required>
17601764
<button id="updater-secret-submit">Login</button>
17611765
</fieldset>
17621766
</form>
1763-
<?php if(isset($_SERVER['HTTP_X_UPDATER_AUTH']) && !$auth->isAuthenticated()): ?>
1767+
<?php if(isset($_POST['updater-secret-input']) && !$auth->isAuthenticated()): ?>
17641768
<p>Invalid password</p>
17651769
<?php endif; ?>
17661770
</div>
@@ -2127,26 +2131,6 @@ function confirmExit() {
21272131
}
21282132
}
21292133
</script>
2130-
<?php else: ?>
2131-
<script>
2132-
function login() {
2133-
var xhr = new XMLHttpRequest();
2134-
xhr.open('GET', window.location.href, true);
2135-
xhr.setRequestHeader('X-Updater-Auth', document.getElementById('updater-secret-input').value);
2136-
xhr.onreadystatechange = function () {
2137-
if (xhr.readyState === 4) {
2138-
document.getElementsByTagName('html')[0].innerHTML = xhr.responseText;
2139-
eval(document.getElementsByTagName('script')[0].innerHTML);
2140-
}
2141-
};
2142-
xhr.send();
2143-
}
2144-
2145-
document.getElementById('updater-secret-submit').onclick = function(e) {
2146-
e.preventDefault();
2147-
login();
2148-
};
2149-
</script>
21502134
<?php endif; ?>
21512135

21522136
</html>

0 commit comments

Comments
 (0)