diff --git a/public/lucidAuth.login.php b/public/lucidAuth.login.php index f51d157..cf7dccd 100644 --- a/public/lucidAuth.login.php +++ b/public/lucidAuth.login.php @@ -20,6 +20,8 @@ // Save authentication token in cookie $httpHost = $_SERVER['HTTP_HOST']; $cookieDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpHost) { + // Check if $_SERVER['HTTP_HOST'] matches any of the configured domains (either explicitly or as a subdomain) + // This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value))); }))[0]; setcookie('JWT', $result['token'], (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain); diff --git a/public/lucidAuth.validateRequest.php b/public/lucidAuth.validateRequest.php index 41ac22e..ee300df 100644 --- a/public/lucidAuth.validateRequest.php +++ b/public/lucidAuth.validateRequest.php @@ -20,7 +20,7 @@ file_put_contents('../requestHeaders.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- ' . (json_encode($proxyHeaders, JSON_FORCE_OBJECT)) . PHP_EOL, FILE_APPEND); } - if (sizeof($proxyHeaders) == 0) { + if (sizeof($proxyHeaders) === 0) { // Non-proxied request; this is senseless, go fetch! header("HTTP/1.1 403 Forbidden"); exit;