From 2d8b928e0312acc24853894af96d5c1a1bb68025 Mon Sep 17 00:00:00 2001
From: s22 Tech <59073912+s22-tech@users.noreply.github.com>
Date: Mon, 29 Jun 2026 09:49:09 -0700
Subject: [PATCH 1/3] Refactor administrator fetch logic in login.inc.php
Refactor administrator fetching logic to process known IPs and fingerprints _after_ fetching the administrator record.
Those were not arrays outside the fetch block.
---
public_html/backend/pages/login.inc.php | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/public_html/backend/pages/login.inc.php b/public_html/backend/pages/login.inc.php
index 27ab262..96bf271 100644
--- a/public_html/backend/pages/login.inc.php
+++ b/public_html/backend/pages/login.inc.php
@@ -30,10 +30,10 @@
where username = '". database::input(strtolower($_POST['username'])) ."'
or email = '". database::input(strtolower($_POST['username'])) ."'
limit 1;"
- )->fetch(function($administrator){
- $administrator['known_ips'] = f::string_split($administrator['known_ips']);
- $administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']);
- });
+ )->fetch();
+
+ $administrator['known_ips'] = f::string_split($administrator['known_ips']);
+ $administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']);
if (!$administrator) {
throw new Exception(t('error_administrator_not_found', 'The administrator could not be found in our database'));
@@ -159,7 +159,7 @@
unset(session::$data['security.administrator']['verification']);
- // TOTP (opt-in per administrator). When enrolled, always challenge —
+ // TOTP (opt-in per administrator). When enrolled, always challenge
// independent of the known-IP check below. Email OTP remains the
// fallback for admins who haven't enrolled.
if (!empty($administrator['totp_secret'])) {
@@ -383,4 +383,4 @@
});
});
});
-
\ No newline at end of file
+
From 623965012f469afcb30dc65da14b618801817434 Mon Sep 17 00:00:00 2001
From: s22 Tech <59073912+s22-tech@users.noreply.github.com>
Date: Mon, 29 Jun 2026 09:58:10 -0700
Subject: [PATCH 2/3] Revert "Refactor administrator fetch logic in
login.inc.php"
This reverts commit 2d8b928e0312acc24853894af96d5c1a1bb68025.
Restores the original fetch callback pattern where known_ips and
known_fingerprints processing happened inside the fetch block, ensuring
they are properly treated as arrays at the time of assignment.
---
public_html/backend/pages/login.inc.php | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/public_html/backend/pages/login.inc.php b/public_html/backend/pages/login.inc.php
index 96bf271..7401482 100644
--- a/public_html/backend/pages/login.inc.php
+++ b/public_html/backend/pages/login.inc.php
@@ -30,10 +30,10 @@
where username = '". database::input(strtolower($_POST['username'])) ."'
or email = '". database::input(strtolower($_POST['username'])) ."'
limit 1;"
- )->fetch();
-
- $administrator['known_ips'] = f::string_split($administrator['known_ips']);
- $administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']);
+ )->fetch(function($administrator){
+ $administrator['known_ips'] = f::string_split($administrator['known_ips']);
+ $administrator['known_fingerprints'] = f::string_split($administrator['known_fingerprints']);
+ });
if (!$administrator) {
throw new Exception(t('error_administrator_not_found', 'The administrator could not be found in our database'));
@@ -126,7 +126,7 @@
}
if (!empty($administrator['last_ip_address']) && $administrator['last_ip_address'] != $_SERVER['REMOTE_ADDR']) {
- notices::add('warnings', strtr(t('warning_account_previously_used_by_another_ip', 'Your account was previously used by another IP address {ip_address} ({hostname}). If this was not you then your login credentials might be compromised.'), [
+ notices::add('warnings', strtr(t('warning_account_previously_used_by_another_ip', 'Your account was previously used by another IP address {ip_address} ({hostname}). If this was not you then y[...]
'{username}' => $administrator['username'],
'{ip_address}' => $administrator['last_ip_address'],
'{hostname}' => $administrator['last_hostname'],
@@ -159,7 +159,7 @@
unset(session::$data['security.administrator']['verification']);
- // TOTP (opt-in per administrator). When enrolled, always challenge
+ // TOTP (opt-in per administrator). When enrolled, always challenge ✓
// independent of the known-IP check below. Email OTP remains the
// fallback for admins who haven't enrolled.
if (!empty($administrator['totp_secret'])) {
@@ -241,7 +241,7 @@
if (!empty($_POST['remember_me']) && defined('HMAC_KEY_REMEMBER_ME')) {
$token = f::token_create_remember($administrator['id'], $administrator['password_hash']);
- header('Set-Cookie: remember_me='. $token .'; Path='. WS_DIR_APP .'; Expires='. gmdate('r', strtotime('+30 days')) .'; HttpOnly; SameSite=Lax' . (!empty($_SERVER['HTTPS']) ? '; Secure' : ''), false);
+ header('Set-Cookie: remember_me='. $token .'; Path='. WS_DIR_APP .'; Expires='. gmdate('r', strtotime('+30 days')) .'; HttpOnly; SameSite=Lax' . (!empty($_SERVER['HTTPS']) ? '; Secure' : ''),[...]
} else if (!empty($_COOKIE['remember_me'])) {
header('Set-Cookie: remember_me=; Path='. WS_DIR_APP .'; Max-Age=-1; HttpOnly; SameSite=Lax', false);
}
From 6884fff56f469fb3570875cc1aeeb9cacccc555b Mon Sep 17 00:00:00 2001
From: s22 Tech <59073912+s22-tech@users.noreply.github.com>
Date: Mon, 29 Jun 2026 10:55:43 -0700
Subject: [PATCH 3/3] Refactor form functions to use attributes instead of
parameters
---
public_html/storage/addons/countries/vmod.xml | 20 +++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/public_html/storage/addons/countries/vmod.xml b/public_html/storage/addons/countries/vmod.xml
index aececd7..06fe796 100644
--- a/public_html/storage/addons/countries/vmod.xml
+++ b/public_html/storage/addons/countries/vmod.xml
@@ -331,22 +331,22 @@