From b8368980162392bf9f97496ecec18abe2bd34fad Mon Sep 17 00:00:00 2001
From: Derky <derky@phpbb.com>
Date: Fri, 26 Apr 2019 12:08:37 +0200
Subject: [PATCH] [ticket/security/228] Add form token to login box

SECURITY-228
---
 phpBB/includes/functions.php                  | 19 +++++++++++++++++--
 phpBB/index.php                               |  3 +++
 .../styles/prosilver/template/index_body.html |  1 +
 .../styles/prosilver/template/login_body.html |  1 +
 4 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index e2ea7ad232..6df2ebaba7 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -2268,6 +2268,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 	global $request, $phpbb_container, $phpbb_dispatcher, $phpbb_log;
 
 	$err = '';
+	$form_name = 'login';
 
 	// Make sure user->setup() has been called
 	if (!$user->is_setup())
@@ -2343,8 +2344,19 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 			trigger_error('NO_AUTH_ADMIN_USER_DIFFER');
 		}
 
-		// If authentication is successful we redirect user to previous page
-		$result = $auth->login($username, $password, $autologin, $viewonline, $admin);
+		// Check form key
+		if ($password && !check_form_key($form_name))
+		{
+			$result = array(
+				'status' => false,
+				'error_msg' => 'FORM_INVALID',
+			);
+		}
+		else
+		{
+			// If authentication is successful we redirect user to previous page
+			$result = $auth->login($username, $password, $autologin, $viewonline, $admin);
+		}
 
 		// If admin authentication and login, we will log if it was a success or not...
 		// We also break the operation on the first non-success login - it could be argued that the user already knows
@@ -2495,6 +2507,9 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 		));
 	}
 
+	// Add form token for login box
+	add_form_key($form_name, '_LOGIN');
+
 	$s_hidden_fields = build_hidden_fields($s_hidden_fields);
 
 	$login_box_template_data = array(
diff --git a/phpBB/index.php b/phpBB/index.php
index 13b914abd3..5eee7723a9 100644
--- a/phpBB/index.php
+++ b/phpBB/index.php
@@ -211,6 +211,9 @@ if ($show_birthdays)
 	$template->assign_block_vars_array('birthdays', $birthdays);
 }
 
+// Add form token for login box
+add_form_key('login', '_LOGIN');
+
 // Assign index specific vars
 $template->assign_vars(array(
 	'TOTAL_POSTS'	=> $user->lang('TOTAL_POSTS_COUNT', (int) $config['num_posts']),
diff --git a/phpBB/styles/prosilver/template/index_body.html b/phpBB/styles/prosilver/template/index_body.html
index b292c40eb2..239a91c580 100644
--- a/phpBB/styles/prosilver/template/index_body.html
+++ b/phpBB/styles/prosilver/template/index_body.html
@@ -29,6 +29,7 @@
 			<!-- ENDIF -->
 			<input type="submit" tabindex="5" name="login" value="{L_LOGIN}" class="button2" />
 			{S_LOGIN_REDIRECT}
+			{S_FORM_TOKEN_LOGIN}
 		</fieldset>
 	</form>
 <!-- ENDIF -->
diff --git a/phpBB/styles/prosilver/template/login_body.html b/phpBB/styles/prosilver/template/login_body.html
index ef08035717..dc597af51d 100644
--- a/phpBB/styles/prosilver/template/login_body.html
+++ b/phpBB/styles/prosilver/template/login_body.html
@@ -33,6 +33,7 @@
 		<!-- ENDIF -->
 
 		{S_LOGIN_REDIRECT}
+		{S_FORM_TOKEN_LOGIN}
 		<dl>
 			<dt>&nbsp;</dt>
 			<dd>{S_HIDDEN_FIELDS}<input type="submit" name="login" tabindex="6" value="{L_LOGIN}" class="button1" /></dd>