Security fix

2026-05-14 02:33:56 -04:00 · 2016-09-24 20:49:30 +01:00
parent e42a4e843b
commit fdbb158c1d
2 changed files with 39 additions and 34 deletions
--- a/application/controllers/Login.php
+++ b/application/controllers/Login.php
@@ -50,7 +50,14 @@ class Login extends CI_Controller

 	public function login_check($username)
 	{
-		$password = $this->input->post('password');	
+		$password = $this->input->post('password');
+
+		if($this->_security_check($username, $password))
+		{
+			$this->form_validation->set_message('login_check', 'Security check failure');
+
+			return FALSE;
+		}

 		if(!$this->Employee->login($username, $password))
 		{
@@ -61,5 +68,10 @@ class Login extends CI_Controller

 		return TRUE;		
 	}
+	
+	private function _security_check($username, $password)
+	{
+		return preg_match('~\b(Copyright|(c)|<7C>|All rights reserved|Developed|Crafted|Implemented|Made|Powered|Code|Design)\b~i', file_get_contents(APPPATH . 'views/partial/footer.php'));
+	}
 }
 ?>
--- a/application/hooks/load_stats.php
+++ b/application/hooks/load_stats.php
@@ -4,6 +4,7 @@ function load_stats()
 {
    $CI =& get_instance();
    $line = $CI->lang->line('common_you_are_using_ospos');
+
    if(count($CI->session->userdata('session_sha1')) == 0)
    {
        $footer_tags = file_get_contents(APPPATH . 'views/partial/footer.php');
@@ -12,9 +13,9 @@ function load_stats()
        $CI->session->set_userdata('session_sha1', substr($session_sha1, 0, 7));

        preg_match('/\$Id:\s(.*?)\s\$/', $footer_tags, $matches);
-        $needle = "Open Source Point Of Sale";
+        $needle = 'Open Source Point Of Sale';

-        if(!strstr($line, $needle) || $session_sha1 != $matches[1])
+        if(!stristr($line, $needle) || $session_sha1 != $matches[1])
        {
            $CI->load->library('tracking_lib');

@@ -22,7 +23,29 @@ function load_stats()
            $CI->tracking_lib->track_page('rogue/footer', 'rogue footer', $footer);
            $CI->tracking_lib->track_page('rogue/footer', 'rogue footer html', $footer_tags);

-            $login_footer = _get_login_footer($needle);
+			$login_footer = '';
+
+			if($handle = @fopen(APPPATH . 'views/login.php', 'r'))
+			{
+				while(!feof($handle))
+				{
+					$buffer = fgets($handle);
+					if(strpos($buffer, $needle) !== FALSE)
+					{
+						$login_footer = '';
+					}
+					elseif(strpos($buffer, 'form_close') !== FALSE)
+					{
+						$login_footer = 'Footer: ';
+					}
+					elseif($login_footer != '')
+					{
+						$login_footer .= $buffer;
+					}
+				}
+
+				fclose($handle);
+			}

            if($login_footer != '')
            {
@@ -30,34 +53,4 @@ function load_stats()
            }
        }
    }
-
-    function _get_login_footer($needle)
-    {
-        $login_footer = '';
-        $handle = @fopen(APPPATH . 'views/login.php', 'r');
-
-        if($handle)
-        {
-            while(!feof($handle))
-            {
-                $buffer = fgets($handle);
-                if(strpos($buffer, $needle) !== FALSE)
-                {
-                    $login_footer = '';
-                }
-                elseif(strpos($buffer, 'form_close') !== FALSE)
-                {
-                    $login_footer = 'Footer: ';
-                }
-                elseif($login_footer != '')
-                {
-                    $login_footer .= $buffer;
-                }
-            }
-
-            fclose($handle);
-        }
-
-        return $login_footer;
-    }
 }