Fix hestiacp#2860

jaapmarcus · jaapmarcus · commit 32958c810ecf · 2022-08-22T11:59:56.000+02:00
diff --git a/web/inc/prevent_csrf.php b/web/inc/prevent_csrf.php
@@ -32,9 +32,10 @@ function prevent_post_csrf()
     {
         if (!empty($_SERVER['REQUEST_METHOD'])) {
             if ($_SERVER['REQUEST_METHOD']==='POST') {
-                $hostname = explode(':', $_SERVER['HTTP_HOST']);
-                $port=$hostname[1];
-                $hostname=$hostname[0];
+                list($hostname, $port) = explode(':', $_SERVER["HTTP_HOST"].":");
+                if(empty($port)){
+                    $port = 443;
+                }
                 if (isset($_SERVER['HTTP_ORIGIN'])) {
                     $origin_host = parse_url($_SERVER['HTTP_ORIGIN'], PHP_URL_HOST);
                     if (strcmp($origin_host, gethostname()) === 0 && in_array($port, array('443',$_SERVER['SERVER_PORT']))) {
@@ -55,9 +56,10 @@ function prevent_get_csrf()
     {
         if (!empty($_SERVER['REQUEST_METHOD'])) {
             if ($_SERVER['REQUEST_METHOD']==='GET') {
-                $hostname = explode(':', $_SERVER['HTTP_HOST']);
-                $port=$hostname[1];
-                $hostname=$hostname[0];
+                list($hostname, $port) = explode(':', $_SERVER["HTTP_HOST"].":");
+                if(empty($port)){
+                    $port = 443;
+                }
                 //list of possible entries route and these should never be blocked
                 if (in_array($_SERVER['DOCUMENT_URI'], array('/list/user/index.php', '/login/index.php','/list/web/index.php','/list/dns/index.php','/list/mail/index.php','/list/db/index.php','/list/cron/index.php','/list/backup/index.php','/reset/index.php'))) {
                     return true;
