bug fix: elimite login via url parameters

2026-01-18 13:32:05 +01:00 · 2024-01-22 22:28:29 +05:00
parent 345f37bd83
commit a16884bdfd
4 changed files with 155 additions and 46 deletions
--- a/databases/static/databases/databases.js
+++ b/databases/static/databases/databases.js
@@ -589,8 +589,34 @@ app.controller('phpMyAdmin', function ($scope, $http, $window) {
        function ListInitialDatas(response) {
            $scope.cyberPanelLoading = true;
            if (response.data.status === 1) {
-                var rUrl = '/phpmyadmin/phpmyadminsignin.php?username=' + response.data.username + '&token=' + response.data.token;
-                $window.location.href = rUrl;
+                //var rUrl = '/phpmyadmin/phpmyadminsignin.php?username=' + response.data.username + '&token=' + response.data.token;
+                //$window.location.href = rUrl;
+
+                var form = document.createElement('form');
+                form.method = 'post';
+                form.action = '/phpmyadmin/phpmyadminsignin.php';
+
+// Create input elements for username and token
+                var usernameInput = document.createElement('input');
+                usernameInput.type = 'hidden';
+                usernameInput.name = 'username';
+                usernameInput.value = response.data.username;
+
+                var tokenInput = document.createElement('input');
+                tokenInput.type = 'hidden';
+                tokenInput.name = 'token';
+                tokenInput.value = response.data.token;
+
+// Append input elements to the form
+                form.appendChild(usernameInput);
+                form.appendChild(tokenInput);
+
+// Append the form to the body
+                document.body.appendChild(form);
+
+// Submit the form
+                form.submit();
+
            } else {
            }

--- a/databases/templates/databases/AutoLogin.html
+++ b/databases/templates/databases/AutoLogin.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Auto login for {{ url }}</title>
+    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
+</head>
+<body>
+<span style="display: none" id="userName">{{ userName }}</span>
+<span style="display: none" id="password">{{ password }}</span>
+<form style="display: none" name="loginform" id="loginform" action="/phpmyadmin/phpmyadminsignin.php" method="post">
+    {% csrf_token %}
+    <p>
+        <label for="user_login">Username or Email Address</label>
+        <input type="text" name="username" id="user_login" class="input" value="" size="20" autocapitalize="off"/>
+    </p>
+
+    <div class="user-pass-wrap">
+        <label for="user_pass">Password</label>
+        <div class="wp-pwd">
+            <input type="password" name="password" id="user_pass" class="input password-input" value="" size="20"/>
+            <button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0"
+                    aria-label="Show password">
+                <span class="dashicons dashicons-visibility" aria-hidden="true"></span>
+            </button>
+        </div>
+
+    </div>
+    <p class="forgetmenot"><input name="rememberme" type="checkbox" id="rememberme" value="forever"/> <label
+            for="rememberme">Remember Me</label></p>
+    <p class="submit">
+        <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large"
+               value="Log In"/>
+        <input type="hidden" name="redirect_to" value="{{ url }}/wp-admin"/>
+{#        <input type="hidden" name="testcookie" value="1"/>#}
+    </p>
+</form>
+<script>
+    document.getElementById("user_login").value = $("#userName").text();
+    document.getElementById("user_pass").value = $("#password").text();
+    document.forms["loginform"].submit();
+</script>
+</body>
+</html>
--- a/databases/views.py
+++ b/databases/views.py
@@ -2,6 +2,7 @@


 from django.shortcuts import redirect, HttpResponse
+from django.views.decorators.csrf import csrf_exempt

 from cloudAPI.cloudManager import CloudManager
 from loginSystem.views import loadLoginPage
@@ -251,7 +252,7 @@ def generateAccess(request):
        json_data = json.dumps(data_ret)
        return HttpResponse(json_data)

-
+@csrf_exempt
 def fetchDetailsPHPMYAdmin(request):
    try:

@@ -259,8 +260,15 @@ def fetchDetailsPHPMYAdmin(request):
        admin = Administrator.objects.get(id=userID)
        currentACL = ACLManager.loadedACL(userID)

-        token = request.GET.get('token')
-        username = request.GET.get('username')
+
+
+        token = request.POST.get('token')
+        username = request.POST.get('username')
+
+        from plogical.httpProc import httpProc
+        proc = httpProc(request, None,
+                        )
+        #return proc.ajax(0, str(request.POST.get('token')))

        if username != admin.userName:
            return redirect(loadLoginPage)
@@ -280,20 +288,37 @@ def fetchDetailsPHPMYAdmin(request):
                    mysqluser = jsonData['mysqluser']
                    password = jsonData['mysqlpassword']

-                    returnURL = '/phpmyadmin/phpmyadminsignin.php?username=%s&password=%s' % (
-                        mysqluser, password)
-                    return redirect(returnURL)
+                    # returnURL = '/phpmyadmin/phpmyadminsignin.php?username=%s&password=%s' % (
+                    #     mysqluser, password)
+                    # return redirect(returnURL)
+                    data = {}
+                    data['userName'] = mysqluser
+                    data['password'] = password

-                except BaseException:
+
+                    proc = httpProc(request, 'databases/AutoLogin.html',
+                                    data, 'admin')
+                    return proc.render()
+
+                except BaseException as msg:

                    f = open(passFile)
                    data = f.read()
                    password = data.split('\n', 1)[0]
                    password = password.strip('\n').strip('\r')

-                    returnURL = '/phpmyadmin/phpmyadminsignin.php?username=%s&password=%s' % (
-                        'root', password)
-                    return redirect(returnURL)
+                    data = {}
+                    data['userName'] = 'root'
+                    data['password'] = password
+                    # return redirect(returnURL)
+
+                    proc = httpProc(request, 'databases/AutoLogin.html',
+                                    data, 'admin')
+                    return proc.render()
+
+                    # returnURL = '/phpmyadmin/phpmyadminsignin.php?username=%s&password=%s' % (
+                    #     'root', password)
+                    # return redirect(returnURL)

            keySavePath = '/home/cyberpanel/phpmyadmin_%s' % (admin.userName)
            key = ProcessUtilities.outputExecutioner('cat %s' % (keySavePath)).strip('\n').encode()
@@ -306,8 +331,17 @@ def fetchDetailsPHPMYAdmin(request):
                for db in site.databases_set.all():
                    mysqlUtilities.addUserToDB(db.dbName, admin.userName, password.decode(), 0)

-            returnURL = '/phpmyadmin/phpmyadminsignin.php?username=%s&password=%s' % (admin.userName, password.decode())
-            return redirect(returnURL)
+            data = {}
+            data['userName'] = admin.userName
+            data['password'] = password.decode()
+            # return redirect(returnURL)
+
+            proc = httpProc(request, 'databases/AutoLogin.html',
+                            data, 'admin')
+            return proc.render()
+
+            # returnURL = '/phpmyadmin/phpmyadminsignin.php?username=%s&password=%s' % (admin.userName, password.decode())
+            # return redirect(returnURL)
        else:
            return redirect(loadLoginPage)