IPV6 compatible prevent CSRF (hestiacp#3491)

* IPV6 compatible prevent CSRF

* IPV6 compatible prevent CSRF. Code style correction

* Fix formatting

---------

Co-authored-by: asmcc <root@test.hestiacp.com>
Co-authored-by: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com>

Author: 3 people

web/inc/prevent_csrf.php

@@ -40,8 +40,19 @@ function prevent_post_csrf() {
 	if (!empty($_SERVER["REQUEST_METHOD"])) {
 		if ($_SERVER["REQUEST_METHOD"] === "POST") {
 			if (!empty($_SERVER["HTTP_HOST"])) {
-				[$hostname, $port] = explode(":", $_SERVER["HTTP_HOST"] . ":");
-				if (empty($port)) {
+				$hostname = preg_replace(
+					"/(\[?[^]]*\]?):([0-9]{1,5})$/",
+					"$1",
+					$_SERVER["HTTP_HOST"],
+				);
+				$port_is_defined = preg_match("/\[?[^]]*\]?:[0-9]{1,5}$/", $_SERVER["HTTP_HOST"]);
+				if ($port_is_defined) {
+					$port = preg_replace(
+						"/(\[?[^]]*\]?):([0-9]{1,5})$/",
+						"$2",
+						$_SERVER["HTTP_HOST"],
+					);
+				} else {
 					$port = 443;
 				}
 			} else {
@@ -74,8 +85,19 @@ function prevent_get_csrf() {
 	if (!empty($_SERVER["REQUEST_METHOD"])) {
 		if ($_SERVER["REQUEST_METHOD"] === "GET") {
 			if (!empty($_SERVER["HTTP_HOST"])) {
-				[$hostname, $port] = explode(":", $_SERVER["HTTP_HOST"] . ":");
-				if (empty($port)) {
+				$hostname = preg_replace(
+					"/(\[?[^]]*\]?):([0-9]{1,5})$/",
+					"$1",
+					$_SERVER["HTTP_HOST"],
+				);
+				$port_is_defined = preg_match("/\[?[^]]*\]?:[0-9]{1,5}$/", $_SERVER["HTTP_HOST"]);
+				if ($port_is_defined) {
+					$port = preg_replace(
+						"/(\[?[^]]*\]?):([0-9]{1,5})$/",
+						"$2",
+						$_SERVER["HTTP_HOST"],
+					);
+				} else {
 					$port = 443;
 				}
 			} else {