michael/webmin
1
0
Fork 0
mirror of https://github.com/webmin/webmin.git synced 2026-02-03 06:03:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add back SSL host cert check but only in SSL mode; show faked host (HTTP_HOST) first for clarity

Browse Source
This commit is contained in:
Ilia Ross
2025-09-24 14:37:18 +03:00
parent e194e2d500
commit e5d6c5627d
4 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
forgot.cgi
View File

@@ -16,6 +16,10 @@ my $timeout = $gconfig{'passreset_timeout'} || 15;
$remote_user && &error($text{'forgot_elogin'});
$ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 ||
&error($text{'forgot_essl'});
$ENV{'SSL_HOST_CERT'} == 1 ||
&error(&text('forgot_esslhost',
&html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'})))
if ($ENV{'HTTPS'} eq 'ON');
# Check that the random ID is valid
$in{'id'} =~ /^[a-f0-9]+$/i || &error($text{'forgot_eid'});

4
forgot_form.cgi
View File

@@ -15,6 +15,10 @@ $gconfig{'forgot_pass'} || &error($text{'forgot_ecannot'});
$remote_user && &error($text{'forgot_elogin'});
$ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 ||
&error($text{'forgot_essl'});
$ENV{'SSL_HOST_CERT'} == 1 ||
&error(&text('forgot_esslhost',
&html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'})))
if ($ENV{'HTTPS'} eq 'ON');
&ui_print_header(undef, $text{'forgot_title'}, "", undef, undef, 1, 1);
print &ui_alert_box("<b> ⚠ ".$text{'forgot_nossl_warn'}, 'warn')

4
forgot_send.cgi
View File

@@ -14,6 +14,10 @@ $gconfig{'forgot_pass'} || &error($text{'forgot_ecannot'});
$remote_user && &error($text{'forgot_elogin'});
$ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 ||
&error($text{'forgot_essl'});
$ENV{'SSL_HOST_CERT'} == 1 ||
&error(&text('forgot_esslhost',
&html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'})))
if ($ENV{'HTTPS'} eq 'ON');
# Lookup the Webmin user
&foreign_require("acl");

1
lang/en
View File

@@ -185,6 +185,7 @@ forgot_erate=Too many password reset attempts for $1! Please try again later.
forgot_eremote=Webmin server on this system is not running or is not configured to allow forgotten password recovery.
forgot_essl=Forgotten password recovery can only be used over an SSL connection unless explicitly allowed
forgot_nossl=Yes, and allow over insecure connection
forgot_esslhost=Forgotten password recovery cannot be used with invalid SSL hostname $1
forgot_nossl_warn=Warning: This password reset is being sent over an insecure, not-encrypted connection and is vulnerable to man-in-the-middle (MITM) and header-injection attacks.
pam_header=Login to Webmin