web/inc/secure_login.php
i just looked at this file.
The bug may be causing false positives or false negatives, leading to unexpected behavior or blocking legitimate requests.
Upon reviewing the code, I have identified a potential bug in the prevent_post_csrf function. In the line $_SERVER['HTTP_PORT'] = '';, it should be $_SERVER['SERVER_PORT'] = '';. This typo may be causing issues when checking the server port in the CSRF prevention logic.
Solution
To fix the bug, replace the line $_SERVER['HTTP_PORT'] = ''; with $_SERVER['SERVER_PORT'] = ''; in the prevent_post_csrf function.
i could be way off track?
?code
-
myVesta
- Site Admin
- Posts: 964
- Joined: Fri Jun 19, 2020 9:59 am
- Has thanked: 10 times
- Been thanked: 6 times
You have an eagle eye.
Fixed - https://github.com/myvesta/vesta/commit ... =split&w=0
Thanks, man.
However, the bug could not cause an issue since that line only prevents the potential PHP warning (that the port variable is not set), PHP will treat it as an empty string in both cases.
Fixed - https://github.com/myvesta/vesta/commit ... =split&w=0
Thanks, man.
However, the bug could not cause an issue since that line only prevents the potential PHP warning (that the port variable is not set), PHP will treat it as an empty string in both cases.