From c50c797234b3dc66b9cd863104323d701ad25a40 Mon Sep 17 00:00:00 2001 From: Trevor Slocum Date: Sat, 13 Mar 2021 18:49:09 -0800 Subject: [PATCH] Support setting management panel key to improve security Resolves #144. --- imgboard.php | 12 ++++++++---- inc/defines.php | 3 +++ inc/functions.php | 13 +++++++++++++ inc/html.php | 8 ++++---- settings.default.php | 3 +++ 5 files changed, 31 insertions(+), 8 deletions(-) diff --git a/imgboard.php b/imgboard.php index d44ac21..d4eb8e7 100644 --- a/imgboard.php +++ b/imgboard.php @@ -585,6 +585,13 @@ if (!isset($_GET['delete']) && !isset($_GET['manage']) && (isset($_POST['name']) $isadmin = false; $returnlink = basename($_SERVER['PHP_SELF']); + if (isset($_GET["logout"])) { + $_SESSION['tinyib'] = ''; + $_SESSION['tinyib_key'] = ''; + session_destroy(); + die('--> --> -->'); + } + list($loggedin, $isadmin) = manageCheckLogIn(); if ($loggedin) { @@ -805,11 +812,8 @@ if (!isset($_GET['delete']) && !isset($_GET['manage']) && (isset($_POST['name']) } elseif (isset($_GET["rawpost"])) { $onload = manageOnLoad("rawpost"); $text .= buildPostForm(0, true); - } elseif (isset($_GET["logout"])) { - $_SESSION['tinyib'] = ''; - session_destroy(); - die('--> --> -->'); } + if ($text == '') { $text = manageStatus(); } diff --git a/inc/defines.php b/inc/defines.php index 0e05234..7138151 100644 --- a/inc/defines.php +++ b/inc/defines.php @@ -13,6 +13,9 @@ define('TINYIB_WORDBREAK_IDENTIFIER', '@!@TINYIB_WORDBREAK@!@'); if (!defined('TINYIB_LOCALE')) { define('TINYIB_LOCALE', ''); } +if (!defined('TINYIB_MANAGEKEY')) { + define('TINYIB_MANAGEKEY', ''); +} if (!defined('TINYIB_INDEX')) { define('TINYIB_INDEX', 'index.html'); } diff --git a/inc/functions.php b/inc/functions.php index 4b8a103..402f7f6 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -336,6 +336,17 @@ function checkMessageSize() { } function manageCheckLogIn() { + $key = (isset($_GET['manage']) && $_GET['manage'] != '') ? hashData($_GET['manage']) : ''; + if ($key == '' && isset($_SESSION['tinyib_key'])) { + $key = $_SESSION['tinyib_key']; + } + if (TINYIB_MANAGEKEY != '' && $key !== hashData(TINYIB_MANAGEKEY)) { + $_SESSION['tinyib'] = ''; + $_SESSION['tinyib_key'] = ''; + session_destroy(); + fancyDie(__('Invalid key.')); + } + $loggedin = false; $isadmin = false; if (isset($_POST['managepassword'])) { @@ -343,8 +354,10 @@ function manageCheckLogIn() { if ($_POST['managepassword'] === TINYIB_ADMINPASS) { $_SESSION['tinyib'] = hashData(TINYIB_ADMINPASS); + $_SESSION['tinyib_key'] = hashData(TINYIB_MANAGEKEY); } elseif (TINYIB_MODPASS != '' && $_POST['managepassword'] === TINYIB_MODPASS) { $_SESSION['tinyib'] = hashData(TINYIB_MODPASS); + $_SESSION['tinyib_key'] = hashData(TINYIB_MANAGEKEY); } else { fancyDie(__('Invalid password.')); } diff --git a/inc/html.php b/inc/html.php index 3d85a8b..6bb0f16 100644 --- a/inc/html.php +++ b/inc/html.php @@ -542,7 +542,7 @@ EOF; function buildPage($htmlposts, $parent, $pages = 0, $thispage = 0, $lastpostid = 0) { $cataloglink = TINYIB_CATALOG ? ('[' . __('Catalog') . ']') : ''; - $managelink = basename($_SERVER['PHP_SELF']) . "?manage"; + $managelink = (TINYIB_MANAGEKEY == '') ? ('[' . __('Manage') . ']') : ''; $postingmode = ""; $pagenavigator = ""; @@ -603,7 +603,6 @@ EOF; $js_autorefresh = ''; } - $txt_manage = __('Manage'); $txt_style = __('Style'); $txt_password = __('Password'); $txt_delete = __('Delete'); @@ -612,7 +611,7 @@ EOF;
$cataloglink - [$txt_manage] + $managelink