Don't leak passwords deep linking to a graph and logging in on Apache httpd (#8761)

* Don't leak passwords when users update urls to include all variables after login * Less aggressive
2024-10-07 16:52:45 +00:00 · 2018-05-24 11:29:12 -05:00
parent 8038b6fe7a
commit 9b78424b0c
2 changed files with 4 additions and 1 deletions
--- a/html/includes/vars.inc.php
+++ b/html/includes/vars.inc.php
@@ -40,3 +40,6 @@ foreach ($_GET as $name => $value) {
 foreach ($_POST as $name => $value) {
    $vars[$name] = ($value);
 }
+
+// don't leak login data
+unset($vars['username'], $vars['password']);
--- a/html/pages/adduser.inc.php
+++ b/html/pages/adduser.inc.php
@@ -26,7 +26,7 @@ if (!Auth::user()->hasGlobalAdmin()) {

                    // FIXME: missing email field here on the form
                    if (Auth::get()->addUser($_POST['new_username'], $_POST['new_password'], $_POST['new_level'], $_POST['new_email'], $_POST['new_realname'], $_POST['can_modify_passwd'])) {
-                        echo '<span class=info>User '.$_POST['username'].' added!</span>';
+                        echo '<span class=info>User '.$_POST['new_username'].' added!</span>';
                    }
                } else {
                    echo '<div class="red">User with this name already exists!</div>';