Merge branch 'master' of github.com:webmin/webmin

2026-02-03 06:03:28 +00:00 · 2025-09-24 20:32:47 -07:00
parent df97b4a419 1ef0914610
commit f08ad4eb19
7 changed files with 29 additions and 12 deletions
--- a/forgot.cgi
+++ b/forgot.cgi
@@ -14,10 +14,12 @@ $trust_unknown_referers = 1;
 $gconfig{'forgot_pass'} || &error($text{'forgot_ecannot'});
 my $timeout = $gconfig{'passreset_timeout'} || 15;
 $remote_user && &error($text{'forgot_elogin'});
-$ENV{'HTTPS'} eq 'ON' || &error($text{'forgot_essl'});
+$ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 ||
+        &error($text{'forgot_essl'});
 $ENV{'SSL_HOST_CERT'} == 1 ||
 	&error(&text('forgot_esslhost',
- 		     &html_escape($ENV{'SSL_HOST'} || $ENV{'HTTP_HOST'})));
+		     &html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'})))
+			if ($ENV{'HTTPS'} eq 'ON');

 # Check that the random ID is valid
 $in{'id'} =~ /^[a-f0-9]+$/i || &error($text{'forgot_eid'});
--- a/forgot_form.cgi
+++ b/forgot_form.cgi
@@ -13,13 +13,16 @@ $trust_unknown_referers = 1;
 &error_setup($text{'forgot_err'});
 $gconfig{'forgot_pass'} || &error($text{'forgot_ecannot'});
 $remote_user && &error($text{'forgot_elogin'});
-$ENV{'HTTPS'} eq 'ON' || &error($text{'forgot_essl'});
+$ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 ||
+        &error($text{'forgot_essl'});
 $ENV{'SSL_HOST_CERT'} == 1 ||
 	&error(&text('forgot_esslhost',
- 		     &html_escape($ENV{'SSL_HOST'} || $ENV{'HTTP_HOST'})));
+ 		     &html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'})))
+		     	if ($ENV{'HTTPS'} eq 'ON');

 &ui_print_header(undef, $text{'forgot_title'}, "", undef, undef, 1, 1);
-
+print &ui_alert_box("<b> ⚠ ".$text{'forgot_nossl_warn'}, 'warn')
+        if ($gconfig{'forgot_pass'} == 2 && $ENV{'HTTPS'} ne 'ON');
 print "<center>\n";
 print $text{'forgot_desc'},"<p>\n";
 print &ui_form_start("forgot_send.cgi", "post");
--- a/forgot_send.cgi
+++ b/forgot_send.cgi
@@ -12,10 +12,12 @@ $no_acl_check++;
 &error_setup($text{'forgot_err'});
 $gconfig{'forgot_pass'} || &error($text{'forgot_ecannot'});
 $remote_user && &error($text{'forgot_elogin'});
-$ENV{'HTTPS'} eq 'ON' || &error($text{'forgot_essl'});
+$ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 ||
+        &error($text{'forgot_essl'});
 $ENV{'SSL_HOST_CERT'} == 1 ||
 	&error(&text('forgot_esslhost',
- 		     &html_escape($ENV{'SSL_HOST'} || $ENV{'HTTP_HOST'})));
+ 		     &html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'})))
+		     	if ($ENV{'HTTPS'} eq 'ON');

 # Lookup the Webmin user
 &foreign_require("acl");
--- a/lang/en
+++ b/lang/en
@@ -183,8 +183,10 @@ forgot_eunixlock=User user's password is locked!
 forgot_elogin=Forgotten password pages cannot be used when you are already logged in to Webmin!
 forgot_erate=Too many password reset attempts for $1! Please try again later.
 forgot_eremote=Webmin server on this system is not running or is not configured to allow forgotten password recovery.
-forgot_essl=Forgotten password recovery can only be used over an SSL connection
+forgot_essl=Forgotten password recovery can only be used over an SSL connection unless explicitly allowed
+forgot_nossl=Yes, and allow over insecure connection
 forgot_esslhost=Forgotten password recovery cannot be used with invalid SSL hostname $1
+forgot_nossl_warn=Warning: This password reset is being sent over an insecure, not-encrypted connection and is vulnerable to man-in-the-middle (MITM) and header-injection attacks.

 pam_header=Login to Webmin
 pam_mesg=You must respond to the question below to login to Webmin server on $1.
--- a/usermin/edit_session.cgi
+++ b/usermin/edit_session.cgi
@@ -39,7 +39,10 @@ print &ui_table_row("",

 # Enable forgotten password recovery
 print &ui_table_row($text{'session_forgot'},
-	&ui_yesno_radio("forgot", $uconfig{'forgot_pass'}));
+        &ui_radio("forgot", $uconfig{'forgot_pass'},
+			  [ [ 0, $text{'no'}."<br>" ],
+			    [ 1, $text{'yes'}."<br>" ],
+			    [ 2, $text{'forgot_nossl'} ] ]));

 # Log to syslog
 eval "use Sys::Syslog qw(:DEFAULT setlogsock)";
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -13261,10 +13261,12 @@ if (!$def && $gconfig{'webmin_email_url'}) {
 	# From a config option
 	$url = $gconfig{'webmin_email_url'};
 	}
-elsif ($ENV{'HTTP_HOST'}) {
+elsif ($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'}) {
 	# From this HTTP request
-	my $host = $ENV{'HTTP_HOST'};
 	my $port = $ENV{'SERVER_PORT'} || 80;
+	my $host = $ENV{'SSL_HOST'}
+		? "$ENV{'SSL_HOST'}:$port"
+		:  $ENV{'HTTP_HOST'};
 	if ($host =~ s/:(\d+)$//) {
 		$port = $1;        
 		}
--- a/webmin/edit_session.cgi
+++ b/webmin/edit_session.cgi
@@ -42,7 +42,10 @@ print &ui_table_row("",

 # Enable forgotten password recovery
 print &ui_table_row($text{'session_forgot'},
-	&ui_yesno_radio("forgot", $gconfig{'forgot_pass'}));
+	&ui_radio("forgot", $gconfig{'forgot_pass'},
+			  [ [ 0, $text{'no'}."<br>" ],
+			    [ 1, $text{'yes'}."<br>" ],
+			    [ 2, $text{'forgot_nossl'} ] ]));

 # Block bad password requests
 $gconfig{'passreset_failures'} //= 3;