Adress security issues

OpenHypervideo · OpenHypervideo · commit cf9da6f96491 · 2026-02-21T09:46:45.000+01:00
diff --git a/src/_server/ajaxServer.php b/src/_server/ajaxServer.php
@@ -318,12 +318,40 @@
 			if (!$c["pass"]) { $allPass = false; break; }
 		}
 
-		$return["status"]      = $allPass ? "success" : "fail";
-		$return["checks"]      = $checks;
+		$_SESSION["setup_csrf"] = bin2hex(random_bytes(16));
+		$return["status"]       = $allPass ? "success" : "fail";
+		$return["checks"]       = $checks;
 		$return["alreadySetup"] = false;
+		$return["csrf"]         = $_SESSION["setup_csrf"];
 		break;
 
 	case "setupInit":
+		// Guard: reject if setup has already been completed
+		$alreadySetup = file_exists($conf["dir"]["data"]."/users.json")
+		             && file_exists($conf["dir"]["data"]."/config.json")
+		             && file_exists($conf["dir"]["data"]."/tagdefinitions.json");
+		if ($alreadySetup) {
+			$return["status"] = "fail";
+			$return["code"]   = 0;
+			$return["string"] = "Already installed";
+			break;
+		}
+		// CSRF validation — token was issued by setupCheckDetailed and stored in session
+		if (empty($_SESSION["setup_csrf"]) || $_REQUEST["csrf"] !== $_SESSION["setup_csrf"]) {
+			$return["status"] = "fail";
+			$return["code"]   = 0;
+			$return["string"] = "Invalid request";
+			break;
+		}
+		unset($_SESSION["setup_csrf"]); // one-time token — consume immediately
+		// Input length limits
+		if (strlen(isset($_REQUEST["passwd"]) ? $_REQUEST["passwd"] : '') > 1024
+		    || strlen(isset($_REQUEST["name"]) ? $_REQUEST["name"] : '') > 200) {
+			$return["status"] = "fail";
+			$return["code"]   = 2;
+			$return["string"] = "Input too long";
+			break;
+		}
 		$errorCnt = 0;
 		if (!file_exists($conf["dir"]["data"]) && !is_dir($conf["dir"]["data"])) {
 			if (!mkdir($conf["dir"]["data"])) {
@@ -372,6 +400,8 @@
 					$val = $_REQUEST[$key];
 					if ($val === "true")  $val = true;
 					if ($val === "false") $val = false;
+					// Sanitize theme: allow only safe identifier characters
+					if ($key === "theme") { $val = preg_replace('/[^a-z0-9_-]/', '', strtolower((string)$val)); }
 					$tmpConf[$key] = $val;
 				}
 			}
diff --git a/src/_server/config.php b/src/_server/config.php
@@ -1,6 +1,15 @@
 <?php
 error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING);
 
+$_isHttps = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
+         || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https');
+session_set_cookie_params([
+    'lifetime' => 0,
+    'path'     => '/',
+    'httponly' => true,
+    'samesite' => 'Lax',
+    'secure'   => $_isHttps,
+]);
 session_start();
 
 //DIR
diff --git a/src/_server/user.php b/src/_server/user.php
@@ -9,7 +9,15 @@
 function userGet($userID) {
 	global $conf;
 
-	$json = file_get_contents($conf["dir"]["data"]."/users.json");
+	$userFile = $conf["dir"]["data"]."/users.json";
+	if (!file_exists($userFile)) {
+		$return["status"] = "fail";
+		$return["code"] = 4;
+		$return["string"] = "Could not find user database";
+		return $return;
+	}
+
+	$json = file_get_contents($userFile);
 
 	$uDB = json_decode($json,true);
 	//if ($_SESSION["ohv"]["projects"][$projectID]["user"]["role"] != "admin") {
@@ -81,7 +89,7 @@ function userRegister($name, $mail, $passwd) {
 	$user["user"][$user["user-increment"]]["name"] = $name;
 	$user["user"][$user["user-increment"]]["mail"] = strtolower($mail);
 	$user["user"][$user["user-increment"]]["registrationDate"] =  time();
-	$user["user"][$user["user-increment"]]["passwd"] = hash("sha256",$passwd.$user["user"][$user["user-increment"]]["registrationDate"]);
+	$user["user"][$user["user-increment"]]["passwd"] = password_hash($passwd, PASSWORD_DEFAULT);
 	$user["user"][$user["user-increment"]]["role"] = (($tmpFirstUser) ? "admin" : $configDB["defaultUserRole"]);
     $user["user"][$user["user-increment"]]["active"] = (($tmpFirstUser) ? 1 : (($configDB["userNeedsConfirmation"]) ? 0 : 1));
 	$user["user"][$user["user-increment"]]["lastLogin"] = "";
@@ -155,7 +163,7 @@ function userLogin($mail, $passwd) {
 		$file->close();
 		return $return;
 	}
-	if ($user["passwd"] != hash("sha256",$passwd.$user["registrationDate"])) {
+	if (!password_verify($passwd, $user["passwd"])) {
 		$return["status"] = "fail";
 		$return["code"] = 3;
 		$return["string"] = "Wrong password!";
@@ -328,7 +336,7 @@ function userChange($userID,$mail,$name,$passwd,$color,$role,$active) {
 				$userdb["user"][$userID]["mail"] = $mail;
 				$userdb["user"][$userID]["color"] = $color;
 				$userdb["user"][$userID]["active"] = ((($active==="1" || $active==="0") && (($_SESSION["ohv"]["user"]["role"] == "admin"))) ? $active*1 : $userdb["user"][$userID]["active"]*1);
-				$userdb["user"][$userID]["passwd"] = ($passwd) ? hash("sha256",$passwd.$userdb["user"][$userID]["registrationDate"]) : $userdb["user"][$userID]["passwd"];
+				$userdb["user"][$userID]["passwd"] = ($passwd) ? password_hash($passwd, PASSWORD_DEFAULT) : $userdb["user"][$userID]["passwd"];
 				$file->write(json_encode($userdb, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT));				
 				$return["status"] = "success";
 				$return["string"] = "userdata updated";
diff --git a/src/_shared/modules/UserManagement/module.js b/src/_shared/modules/UserManagement/module.js
@@ -221,7 +221,7 @@ FrameTrail.defineModule('UserManagement', function(FrameTrail){
             data: 		"a=userGet",
 			success: function(data) {
 
-				if (!data.response) {
+				if (!data || !data.response) {
 					console.error(labels['ErrorNoUserFile']);
 					return;
 				}
diff --git a/src/setup.html b/src/setup.html
@@ -663,6 +663,7 @@ <h2 style="text-align:center">You&#8217;re all set!</h2>
 
     var currentStep = 1;
     var preflightOk = false;
+    var csrfToken   = '';
 
     var btnBack   = document.getElementById('btn-back');
     var btnNext   = document.getElementById('btn-next');
@@ -828,6 +829,7 @@ <h2 style="text-align:center">You&#8217;re all set!</h2>
                 setCheckState(key, c.pass ? 'pass' : 'fail', c.detail);
                 if (!c.pass) allPass = false;
             });
+            csrfToken   = data.csrf || '';
             preflightOk = allPass;
             btnNext.disabled = !allPass;
             if (!allPass) document.getElementById('recheck-btn').style.display = '';
@@ -937,6 +939,7 @@ <h2 style="text-align:center">You&#8217;re all set!</h2>
 
         var params = new URLSearchParams();
         params.set('a',      'setupInit');
+        params.set('csrf',   csrfToken);
         params.set('mail',   document.getElementById('field-email').value.trim());
         params.set('name',   document.getElementById('field-name').value.trim());
         params.set('passwd', document.getElementById('field-password').value);

Original file line number	Diff line number	Diff line change
`@@ -221,7 +221,7 @@ FrameTrail.defineModule('UserManagement', function(FrameTrail){`
`221`	`221`	`data: "a=userGet",`
`222`	`222`	`success: function(data) {`
`223`	`223`
`224`		`- if (!data.response) {`
	`224`	`+ if (!data \|\| !data.response) {`
`225`	`225`	`console.error(labels['ErrorNoUserFile']);`
`226`	`226`	`return;`
`227`	`227`	`}`