X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Flogin.php;h=ccec9cf8a787818e20cb518f64b44bfd31b30336;hb=2abe10b8ea4b5d69fc7f6513bf465541454ca2cf;hp=003d6613f7425f6c954341aa01fca3d35e2cbc13;hpb=834c21b2aaf78da1081416d05098286e9bf17c2a;p=quix0rs-gnu-social.git

diff --git a/actions/login.php b/actions/login.php
index 003d6613f7..ccec9cf8a7 100644
--- a/actions/login.php
+++ b/actions/login.php
@@ -21,6 +21,10 @@ if (!defined('LACONICA')) { exit(1); }
 
 class LoginAction extends Action {
 
+	function is_readonly() {
+		return true;
+	}
+
 	function handle($args) {
 		parent::handle($args);
 		if (common_is_real_login()) {
@@ -33,9 +37,16 @@ class LoginAction extends Action {
 	}
 
 	function check_login() {
-		# XXX: form token in $_SESSION to prevent XSS
 		# XXX: login throttle
-		$nickname = $this->arg('nickname');
+
+		# CSRF protection - token set in common_notice_form()
+		$token = $this->trimmed('token');
+		if (!$token || $token != common_session_token()) {
+			$this->client_error(_('There was a problem with your session token. Try again, please.'));
+			return;
+		}
+
+		$nickname = common_canonical_nickname($this->trimmed('nickname'));
 		$password = $this->arg('password');
 		if (common_check_user($nickname, $password)) {
 			# success!
@@ -100,6 +111,7 @@ class LoginAction extends Action {
 		                _('Automatically login in the future; ' .
 		                   'not for shared computers!'));
 		common_submit('submit', _('Login'));
+		common_hidden('token', common_session_token());
 		common_element_end('form');
 		common_element_start('p');
 		common_element('a', array('href' => common_local_url('recoverpassword')),
@@ -109,10 +121,21 @@ class LoginAction extends Action {
 	}
 
 	function get_instructions() {
-		return _('Login with your username and password. ' .
-				  'Don\'t have a username yet? ' .
-				  '[Register](%%action.register%%) a new account, or ' .
-				  'try [OpenID](%%action.openidlogin%%). ');
+		if (common_logged_in() &&
+			!common_is_real_login() &&
+			common_get_returnto())
+		{
+			# rememberme logins have to reauthenticate before
+			# changing any profile settings (cookie-stealing protection)
+			return _('For security reasons, please re-enter your ' .
+					 'user name and password ' .
+					 'before changing your settings.');
+		} else {
+			return _('Login with your username and password. ' .
+					 'Don\'t have a username yet? ' .
+					 '[Register](%%action.register%%) a new account, or ' .
+					 'try [OpenID](%%action.openidlogin%%). ');
+		}
 	}
 
 	function show_top($error=NULL) {