From 529e5a2895be7c622fcb3e7662c914ade2d1c4b9 Mon Sep 17 00:00:00 2001
From: Thiago Lins <thiago_h_l@hotmail.com>
Date: Wed, 18 Feb 2026 22:03:36 -0300
Subject: [PATCH 1/2] Update setup.php

Security: Prevent URL bypassing during MFA pending state

Signed-off-by: Thiago Lins <thiago_h_l@hotmail.com>
---
 setup.php | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/setup.php b/setup.php
index 7d711d5..ca012c5 100644
--- a/setup.php
+++ b/setup.php
@@ -55,6 +55,31 @@ function plugin_version_mfa()
 function plugin_init_mfa()
 {
     SessionManager::registerPluginStatelessPath('mfa', '#^/front/mfa.form.php$#');
+    
+    $is_cli = function_exists('is_CommandLine') && is_CommandLine();
+    $has_mfa = isset($_SESSION['mfa_pending_user_id']);
+
+    if ($has_mfa) {
+
+        if (!$is_cli) {
+            $uri = $_SERVER['REQUEST_URI'] ?? '';
+
+            $is_protected_page = !str_contains($uri, 'mfa.form.php') &&
+                !str_contains($uri, 'logout.php') &&
+                !str_contains($uri, 'login.php');
+
+            if ($is_protected_page) {
+                global $CFG_GLPI;
+                $mfa_url = ($CFG_GLPI["root_doc"] ?? '') . "/plugins/mfa/front/mfa.form.php";
+                if (!headers_sent()) {
+                    header("Location: " . $mfa_url);
+                } else {
+                    echo "<script>window.location.href='$mfa_url';</script>";
+                }
+                exit();
+            }
+        }
+    }
 
     global $PLUGIN_HOOKS;
 

From 955275030d4720844c821126367abd7808a74628 Mon Sep 17 00:00:00 2001
From: Thiago Lins <thiago_h_l@hotmail.com>
Date: Wed, 18 Feb 2026 22:04:53 -0300
Subject: [PATCH 2/2] Add files via upload

Signed-off-by: Thiago Lins <thiago_h_l@hotmail.com>
---
 locales/pt_BR.mo | Bin 0 -> 1613 bytes
 locales/pt_BR.po |  65 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+)
 create mode 100644 locales/pt_BR.mo
 create mode 100644 locales/pt_BR.po

diff --git a/locales/pt_BR.mo b/locales/pt_BR.mo
new file mode 100644
index 0000000000000000000000000000000000000000..d635fdc8c97fd3c5414ec5e1c6fbd65f9967063d
GIT binary patch
literal 1613
zcmaKs!H*P06vhhyg+V+>gaj~oDr}ZO4?7ZIGs9?LXBQ{gaXZUE<Ya2Q-!>&ZRZUg(
zu!CoBUOad+Cd32bz=@j&4|d`o;lZo%>e+)|O%EcQVLMy%n|}4`y;tA7w|~5Q;Cq4R
z9jwz>-(nrZ`UfjKpY0Q(1@^)Bz^}m*;CEo~e+m-#8~8r>CwLM(_=XV2K>|MjuYv^L
z1y{gF;3@DIa2fm^{19i4?T0VkuN<h)>lwcR&%*u#xB&hNhPZ#t>_-mP^|ZkAuzwDI
z1U>?9fj@$0z`w!E;E6YdKso^knErbZP8`AtdK{ivQJQ#r_8sL-pQHFZg7p?wBUpNz
zv*(ojJ*ExK(NK+;ZgEmt<tMaaQYN!K-7OtkI_pHQw9+f1X;En!DP4MY=fvucXRBpS
z*Gq)bUL{i}adSQHQ%`!iB^~eH?CZo>%ZYzYYO&tC9#c;R7h@;8j}N5EQL7!Juw7~A
zUq#F}6YmtNzSQeHGS&<aPDPw^xCwHq?FlJQ(vdTe11yYlYAfds1XGSShA}-<d0xk7
zdQht5em-f6Vc5mr#FUoY3$YW3-4=I)O(uycwI|CsW7&~J{4`ZTcW5kM(U`))riiWi
z3OYsoG`hpq!Lv<+wV+F5lM7>gG;o<pqZ?)BqM>P1Bi@KMd8~qKgrA6ET9?j8Lo2n*
zB_y9(bXLj?oxyVSzxOs3{>vMijX{5~`Z8gwxzt!O+M@%a;iN!F&pZBNkxQjJl-!fn
zvG3j<u0_i){X)8Jw$UouAyqnS)AE+`jW|cA<<Xk4BiANfOkZ91;||qdyNmjh?h-95
zkiOP!ouf}_iQ3faG`@&#)<0LcKx`Pg(WT~c15KLbW%VpIWGJbgrz$gq26vnxldhgf
zs(#igfzeRu%IdLI=0(d_PpY2`E%K=Dd4ryZwsoi1d$SSPZAPpuiJOH?sZ5QdFcV^B
zul%YW3~%NHOVJR%dLBv(<1xnrgF05Ju_5Dhz?9iD9drr(U*7`d?j_Bhfhfa}q(;QZ
zy)DPaUa03pJt#Q}qK_oH-d2wblsBE0>e-m{4zct2_k(d!*qn`{B`e`4N6;AUy&7Dq
nrwHP>oL^#F^i-zc_R1Ax!p<3DJyxiV3Tfpm2uG+VZ;F2b1O@NS

literal 0
HcmV?d00001

diff --git a/locales/pt_BR.po b/locales/pt_BR.po
new file mode 100644
index 0000000..8e93479
--- /dev/null
+++ b/locales/pt_BR.po
@@ -0,0 +1,65 @@
+msgid ""
+msgstr ""
+"Project-Id-Version: MFAuth\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2026-01-29 14:07+0100\n"
+"Language: pt_BR\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: Localazy (https://localazy.com)\n"
+"Plural-Forms: nplurals=2; plural=(n>=0 && n<=1) ? 0 : 1;\n"
+
+#: front/mfa.form.php:46
+msgid "Incorrect One-Time Security Code"
+msgstr "Código de segurança único incorreto"
+
+#: inc/config.class.php:113
+msgid "GLPI Database Authentication"
+msgstr "Autenticação do banco de dados GLPI"
+
+#: inc/config.class.php:120
+msgid "Mail Server Authentication"
+msgstr "Autenticação do servidor de correio"
+
+#: inc/config.class.php:127
+msgid "LDAP Directory Authentication"
+msgstr "Autenticação do diretório LDAP"
+
+#: inc/config.class.php:134
+msgid "External Authentication"
+msgstr "Autenticação Externa"
+
+#: inc/mfa.class.php:49
+msgid "One-Time Security Code expiration"
+msgstr "Expiração do código de segurança único"
+
+#: inc/mfa.class.php:50
+msgid "Duration (in minutes)"
+msgstr "Duração (em minutos)"
+
+#: inc/mfa.class.php:79
+#, php-format
+msgid "Deleted the One-Time Security Code of the user %s"
+msgstr "Excluído o código de segurança único do usuário %s"
+
+#: inc/notificationtargetmfa.class.php:41
+msgid "One-Time Security Code generated"
+msgstr "Código de segurança único gerado"
+
+#: inc/notificationtargetmfa.class.php:93
+msgid "One-Time Security Code"
+msgstr "Código de segurança único"
+
+#: inc/notificationtargetmfa.class.php:108
+msgid "This is your security code:"
+msgstr "Este é o seu código de segurança:"
+
+#: inc/notificationtargetmfa.class.php:109
+msgid "Please verify it as soon as possible; this OTP will expire quickly."
+msgstr ""
+"Por favor, verifique-o o mais rápido possível; este OTP irá expirar "
+"rapidamente."
+
+msgid "Your account requires an additional authentication code."
+msgstr "Digite o código de acesso enviado para o seu e-mail."