diff --git a/exec/handlers/login.php b/exec/handlers/login.php index c19c13b..6df9672 100644 --- a/exec/handlers/login.php +++ b/exec/handlers/login.php @@ -53,7 +53,7 @@ return static function (): void { 'event' => 'create_login_url', 'result' => 'success', ]); - Http::redirectNoStore($url); + Http::browserRedirectNoStore($url); } catch (Throwable $e) { AuditLog::append(Settings::AUDIT_LOG, $auditBase + [ 'event' => 'create_login_url', diff --git a/exec/lib/Http.php b/exec/lib/Http.php index 6e37102..e1fd460 100644 --- a/exec/lib/Http.php +++ b/exec/lib/Http.php @@ -45,6 +45,37 @@ final class Http exit; } + public static function browserRedirectNoStore(string $url): void + { + header('Content-Type: text/html; charset=UTF-8'); + header('Cache-Control: no-store, private'); + header('Pragma: no-cache'); + header('Referrer-Policy: no-referrer'); + header('X-Content-Type-Options: nosniff'); + header("Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; base-uri 'none'; form-action 'none'"); + echo self::redirectPageHtml($url); + exit; + } + + public static function redirectPageHtml(string $url): string + { + $safeUrl = htmlspecialchars($url, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); + $jsonUrl = json_encode($url, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT); + if (!is_string($jsonUrl)) { + $jsonUrl = '"/"'; + } + + return '' + . '' + . '' + . 'Serwer poczty' + . '' + . '

Otwórz panel poczty

' + . ''; + } + public static function errorPage(string $message, int $status): void { http_response_code($status); diff --git a/plugin.conf b/plugin.conf index c01c52a..9d638fb 100644 --- a/plugin.conf +++ b/plugin.conf @@ -2,7 +2,7 @@ name=mail-login id=mail-login type=user author=HITME.PL -version=1.0.9 +version=1.0.10 active=no installed=no user_run_as=root diff --git a/tests/http_test.php b/tests/http_test.php new file mode 100644 index 0000000..0a1eb1f --- /dev/null +++ b/tests/http_test.php @@ -0,0 +1,14 @@ +