From 6164cd794674d4d74da39f8b535ff588ab006e33 Mon Sep 17 00:00:00 2001
From: David McReynolds <dave@thedaylightstudio.com>
Date: Tue, 10 Aug 2021 10:38:11 -0700
Subject: [PATCH] fix: for issue #584

---
 fuel/modules/fuel/controllers/Login.php       | 40 +++++++++++++++----
 .../fuel/language/english/fuel_lang.php       |  1 +
 2 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/fuel/modules/fuel/controllers/Login.php b/fuel/modules/fuel/controllers/Login.php
index 852deb266..d3fd65a07 100644
--- a/fuel/modules/fuel/controllers/Login.php
+++ b/fuel/modules/fuel/controllers/Login.php
@@ -1,9 +1,10 @@
 <?php
-class Login extends CI_Controller {
+require_once(FUEL_PATH.'/libraries/Fuel_base_controller.php');
+class Login extends Fuel_base_controller {
 
 	public function __construct()
 	{
-		parent::__construct();
+		parent::__construct(false);
 
 		// for flash data
 		$this->load->library('session');
@@ -68,8 +69,14 @@ public function index()
 
 		if ( ! empty($_POST))
 		{
+			// XSS key check
+			if (!$this->_is_valid_csrf())
+			{
+				add_error(lang('error_csrf'));
+			}
+
 			// check if they are locked out out or not
-			if (isset($user_data['failed_login_timer']) AND (time() - $user_data['failed_login_timer']) < (int)$this->fuel->config('seconds_to_unlock'))
+			elseif (isset($user_data['failed_login_timer']) AND (time() - $user_data['failed_login_timer']) < (int)$this->fuel->config('seconds_to_unlock'))
 			{
  				$this->fuel_users_model->add_error(lang('error_max_attempts', $this->fuel->config('seconds_to_unlock')));
 				$user_data['failed_login_timer'] = time();
@@ -134,6 +141,8 @@ public function index()
 		$this->form_builder->set_fields($fields);
 		$this->form_builder->remove_js();
 		if (!empty($_POST)) $this->form_builder->set_field_values($this->input->post(NULL, TRUE));
+		$this->_prep_csrf();
+
 		$vars['form'] = $this->form_builder->render();
 		
 		// set any errors that 
@@ -170,7 +179,12 @@ public function pwd_reset()
 
 		if ( ! empty($_POST))
 		{
-			if (isset($user_data['failed_login_timer']) AND (time() - $user_data['failed_login_timer']) < (int)$this->fuel->config('seconds_to_unlock'))
+			// XSS key check
+			if (!$this->_is_valid_csrf())
+			{
+				add_error(lang('error_csrf'));
+			}
+			elseif (isset($user_data['failed_login_timer']) AND (time() - $user_data['failed_login_timer']) < (int)$this->fuel->config('seconds_to_unlock'))
 			{
  				$this->fuel_users_model->add_error(lang('error_max_attempts', $this->fuel->config('seconds_to_unlock')));
 				$user_data['failed_login_timer'] = time();
@@ -238,6 +252,7 @@ public function pwd_reset()
 
 		$this->form_builder->show_required = FALSE;
 		$this->form_builder->set_fields($fields);
+		$this->_prep_csrf();
 
 		$vars['form'] = $this->form_builder->render();
 		
@@ -308,7 +323,12 @@ public function reset_password()
 		
 		if ( ! empty($_POST))
 		{
-			if ($this->input->post('email') && $this->input->post('password') && $this->input->post('password_confirm') && $this->input->post('_token'))
+			// XSS key check
+			if (!$this->_is_valid_csrf())
+			{
+				add_error(lang('error_csrf'));
+			}
+			elseif ($this->input->post('email') && $this->input->post('password') && $this->input->post('password_confirm') && $this->input->post('_token'))
 			{
 				$this->load->library('user_agent');
 			
@@ -351,6 +371,7 @@ public function reset_password()
 
 		$this->form_builder->show_required = FALSE;
 		$this->form_builder->set_fields($fields);
+		$this->_prep_csrf();
 
 		$vars['form'] = $this->form_builder->render();
 		
@@ -368,7 +389,12 @@ public function dev()
 
 		if ( ! empty($_POST))
 		{
-			if ( ! $this->fuel->config('dev_password'))
+			// XSS key check
+			if (!$this->_is_valid_csrf())
+			{
+				add_error(lang('error_csrf'));
+			}
+			elseif ( ! $this->fuel->config('dev_password'))
 			{
 				redirect('');
 			}
@@ -391,8 +417,8 @@ public function dev()
 		$this->form_builder->show_required = FALSE;
 		$this->form_builder->submit_value = 'Login';
 		$this->form_builder->set_fields($fields);
-
 		if ( ! empty($_POST)) $this->form_builder->set_field_values($this->input->post(NULL, TRUE));
+		$this->_prep_csrf();
 
 		$vars['form'] = $this->form_builder->render();
 		$vars['notifications'] = $this->load->module_view(FUEL_FOLDER, '_blocks/notifications', $vars, TRUE);
diff --git a/fuel/modules/fuel/language/english/fuel_lang.php b/fuel/modules/fuel/language/english/fuel_lang.php
index 84548336a..640cc56b0 100644
--- a/fuel/modules/fuel/language/english/fuel_lang.php
+++ b/fuel/modules/fuel/language/english/fuel_lang.php
@@ -23,6 +23,7 @@
 $lang['error_max_attempts'] = 'Sorry, but your login information was incorrect and you are temporarily locked out. Please try again in %s seconds.';
 $lang['error_empty_user_pwd'] = 'Please enter in a user name and password.';
 $lang['error_pwd_reset'] = 'There was an error in resetting your password.';
+$lang['error_csrf'] = 'Invalid submission.';
 
 $lang['error_pwd_too_short'] = 'Password entered does not meet the %1s character min length requirement.';
 $lang['error_pwd_too_long'] = 'Password entered exceeds the %1s character max length requirement.';