From e8520527906fca698927c6a7d603cc9290237129 Mon Sep 17 00:00:00 2001 From: Matthias Vogel Date: Sat, 12 Jul 2014 13:03:49 +0200 Subject: [PATCH] added CSRF Token --- system/admin/views/add-page.html.php | 1 + system/admin/views/add-post.html.php | 1 + system/admin/views/delete-page.html.php | 1 + system/admin/views/delete-post.html.php | 1 + system/admin/views/edit-page.html.php | 1 + system/admin/views/edit-post.html.php | 1 + system/admin/views/edit-profile.html.php | 1 + system/admin/views/import.html.php | 1 + system/admin/views/login.html.php | 1 + system/htmly.php | 72 +++++++++++++++++++++++++------- system/includes/functions.php | 23 ++++++++++ 11 files changed, 88 insertions(+), 16 deletions(-) diff --git a/system/admin/views/add-page.html.php b/system/admin/views/add-page.html.php index c0412cc..5875bee 100644 --- a/system/admin/views/add-page.html.php +++ b/system/admin/views/add-page.html.php @@ -13,6 +13,7 @@


+ diff --git a/system/admin/views/add-post.html.php b/system/admin/views/add-post.html.php index 4c62a1b..c0f9eae 100644 --- a/system/admin/views/add-post.html.php +++ b/system/admin/views/add-post.html.php @@ -14,6 +14,7 @@


+ diff --git a/system/admin/views/delete-page.html.php b/system/admin/views/delete-page.html.php index 5db0fd6..99aafa8 100644 --- a/system/admin/views/delete-page.html.php +++ b/system/admin/views/delete-page.html.php @@ -27,6 +27,7 @@ Are you sure want to delete ' . $p->title . '?

';?>

+ Cancel
\ No newline at end of file diff --git a/system/admin/views/delete-post.html.php b/system/admin/views/delete-post.html.php index 13e16bf..63989cf 100644 --- a/system/admin/views/delete-post.html.php +++ b/system/admin/views/delete-post.html.php @@ -34,6 +34,7 @@ Are you sure want to delete ' . $p->title . '?

';?>

+ Cancel
\ No newline at end of file diff --git a/system/admin/views/edit-page.html.php b/system/admin/views/edit-page.html.php index 9a4c17e..58a0009 100644 --- a/system/admin/views/edit-page.html.php +++ b/system/admin/views/edit-page.html.php @@ -45,6 +45,7 @@

+ Delete diff --git a/system/admin/views/edit-post.html.php b/system/admin/views/edit-post.html.php index 6cc9eb5..8429d1f 100644 --- a/system/admin/views/edit-post.html.php +++ b/system/admin/views/edit-post.html.php @@ -60,6 +60,7 @@

+ Delete diff --git a/system/admin/views/edit-profile.html.php b/system/admin/views/edit-profile.html.php index ef1971c..e995dc7 100644 --- a/system/admin/views/edit-profile.html.php +++ b/system/admin/views/edit-profile.html.php @@ -37,6 +37,7 @@ Title *



+ diff --git a/system/admin/views/import.html.php b/system/admin/views/import.html.php index 28da33f..b402de1 100644 --- a/system/admin/views/import.html.php +++ b/system/admin/views/import.html.php @@ -6,5 +6,6 @@
Feed Url *


Add source link (optional)

+
\ No newline at end of file diff --git a/system/admin/views/login.html.php b/system/admin/views/login.html.php index e5d3d0b..cc97d9f 100644 --- a/system/admin/views/login.html.php +++ b/system/admin/views/login.html.php @@ -8,6 +8,7 @@

Password *


+ \ No newline at end of file diff --git a/system/htmly.php b/system/htmly.php index 2ceae1a..9720f68 100644 --- a/system/htmly.php +++ b/system/htmly.php @@ -58,9 +58,11 @@ get('/index', function () { // Get submitted login data post('/login', function() { + $proper = is_csrf_proper(from($_REQUEST, 'csrf_token')); + $user = from($_REQUEST, 'user'); $pass = from($_REQUEST, 'password'); - if(!empty($user) && !empty($pass)) { + if($proper && !empty($user) && !empty($pass)) { session($user, $pass, null); $log = session($user, $pass, null); @@ -85,6 +87,9 @@ post('/login', function() { if (empty($pass)) { $message['error'] .= '
  • Password field is required.
    • '; } + if(! $proper ) { + $message['error'] .= '
  • CSRF Token not correct.
    • '; + } config('views.root', 'system/admin/views'); @@ -193,6 +198,8 @@ get('/:year/:month/:name/edit', function($year, $month, $name){ // Get edited data for blog post post('/:year/:month/:name/edit', function() { + + $proper = is_csrf_proper(from($_REQUEST, 'csrf_token')); $title = from($_REQUEST, 'title'); $tag = from($_REQUEST, 'tag'); @@ -200,7 +207,7 @@ post('/:year/:month/:name/edit', function() { $content = from($_REQUEST, 'content'); $oldfile = from($_REQUEST, 'oldfile'); $destination = from($_GET, 'destination'); - if(!empty($title) && !empty($tag) && !empty($content)) { + if($proper && !empty($title) && !empty($tag) && !empty($content)) { if(!empty($url)) { edit_post($title, $tag, $url, $content, $oldfile, $destination); } @@ -220,6 +227,9 @@ post('/:year/:month/:name/edit', function() { if (empty($content)) { $message['error'] .= '
  • Content field is required.
    • '; } + if(! $proper ) { + $message['error'] .= '
  • CSRF Token not correct.
    • '; + } config('views.root', 'system/admin/views'); render('edit-post',array( @@ -280,10 +290,13 @@ get('/:year/:month/:name/delete', function($year, $month, $name){ // Get deleted data for blog post post('/:year/:month/:name/delete', function() { - $file = from($_REQUEST, 'file'); - $destination = from($_GET, 'destination'); - delete_post($file, $destination); - + $proper = is_csrf_proper(from($_REQUEST, 'csrf_token')); + if($proper) + { + $file = from($_REQUEST, 'file'); + $destination = from($_GET, 'destination'); + delete_post($file, $destination); + } }); // The author page @@ -356,11 +369,13 @@ get('/edit/profile', function(){ // Get edited data for static page post('/edit/profile', function() { - + + $proper = is_csrf_proper(from($_REQUEST, 'csrf_token')); + $user = $_SESSION[config("site.url")]['user']; $title = from($_REQUEST, 'title'); $content = from($_REQUEST, 'content'); - if(!empty($title) && !empty($content)) { + if($proper && !empty($title) && !empty($content)) { edit_profile($title, $content, $user); } else { @@ -371,6 +386,9 @@ post('/edit/profile', function() { if (empty($content)) { $message['error'] .= '
  • Content field is required.
    • '; } + if(! $proper ) { + $message['error'] .= '
  • CSRF Token not correct.
    • '; + } config('views.root', 'system/admin/views'); render('edit-profile',array( @@ -627,13 +645,14 @@ get('/:static/edit', function($static){ // Get edited data for static page post('/:static/edit', function() { - + $proper = is_csrf_proper(from($_REQUEST, 'csrf_token')); + $title = from($_REQUEST, 'title'); $url = from($_REQUEST, 'url'); $content = from($_REQUEST, 'content'); $oldfile = from($_REQUEST, 'oldfile'); $destination = from($_GET, 'destination'); - if(!empty($title) && !empty($content)) { + if($proper && !empty($title) && !empty($content)) { if(!empty($url)) { edit_page($title, $url, $content, $oldfile, $destination); } @@ -650,6 +669,9 @@ post('/:static/edit', function() { if (empty($content)) { $message['error'] .= '
  • Content field is required.
    • '; } + if(! $proper ) { + $message['error'] .= '
  • CSRF Token not correct.
    • '; + } config('views.root', 'system/admin/views'); render('edit-page',array( @@ -697,10 +719,13 @@ get('/:static/delete', function($static){ // Get deleted data for static page post('/:static/delete', function() { - $file = from($_REQUEST, 'file'); - $destination = from($_GET, 'destination'); - delete_page($file, $destination); - + $proper = is_csrf_proper(from($_REQUEST, 'csrf_token')); + if($proper) + { + $file = from($_REQUEST, 'file'); + $destination = from($_GET, 'destination'); + delete_page($file, $destination); + } }); // Add blog post @@ -725,12 +750,14 @@ get('/add/post', function(){ // Get submitted blog post data post('/add/post', function(){ + $proper = is_csrf_proper(from($_REQUEST, 'csrf_token')); + $title = from($_REQUEST, 'title'); $tag = from($_REQUEST, 'tag'); $url = from($_REQUEST, 'url'); $content = from($_REQUEST, 'content'); $user = $_SESSION[config("site.url")]['user']; - if(!empty($title) && !empty($tag) && !empty($content)) { + if($proper && !empty($title) && !empty($tag) && !empty($content)) { if(!empty($url)) { add_post($title, $tag, $url, $content, $user); } @@ -750,6 +777,9 @@ post('/add/post', function(){ if (empty($content)) { $message['error'] .= '
  • Content field is required.
    • '; } + if(! $proper ) { + $message['error'] .= '
  • CSRF Token not correct.
    • '; + } config('views.root', 'system/admin/views'); render('add-post',array( 'head_contents' => head_contents('Add post - ' . blog_title(), blog_description(), site_url()), @@ -787,10 +817,12 @@ get('/add/page', function(){ // Get submitted static page data post('/add/page', function(){ + $proper = is_csrf_proper(from($_REQUEST, 'csrf_token')); + $title = from($_REQUEST, 'title'); $url = from($_REQUEST, 'url'); $content = from($_REQUEST, 'content'); - if(!empty($title) && !empty($content)) { + if($proper && !empty($title) && !empty($content)) { if(!empty($url)) { add_page($title, $url, $content); } @@ -807,6 +839,9 @@ post('/add/page', function(){ if (empty($content)) { $message['error'] .= '
  • Content field is required.
    • '; } + if(! $proper ) { + $message['error'] .= '
  • CSRF Token not correct.
    • '; + } config('views.root', 'system/admin/views'); render('add-page',array( 'head_contents' => head_contents('Add page - ' . blog_title(), blog_description(), site_url()), @@ -840,6 +875,8 @@ get('/admin/import',function(){ // Get import post post('/admin/import', function() { + + $proper = is_csrf_proper(from($_REQUEST, 'csrf_token')); $url = from($_REQUEST, 'url'); $credit = from($_REQUEST, 'credit'); @@ -865,6 +902,9 @@ post('/admin/import', function() { if(empty($url)) { $message['error'] .= '
  • You need to specify the feed url.
    • '; } + if(! $proper ) { + $message['error'] .= '
  • CSRF Token not correct.
    • '; + } config('views.root', 'system/admin/views'); diff --git a/system/includes/functions.php b/system/includes/functions.php index f2fcccc..1644e78 100644 --- a/system/includes/functions.php +++ b/system/includes/functions.php @@ -1702,4 +1702,27 @@ function file_cache($request) { readfile($cachefile); die; } +} + +function generate_csrf_token() +{ + $_SESSION[config("site.url")]['csrf_token'] = sha1(microtime(true).mt_rand(10000,90000)); +} + +function get_csrf() +{ + if(! isset($_SESSION[config("site.url")]['csrf_token']) || empty($_SESSION[config("site.url")]['csrf_token'])) + { + generate_csrf_token(); + } + return $_SESSION[config("site.url")]['csrf_token']; +} + +function is_csrf_proper($csrf_token) +{ + if($csrf_token == get_csrf()) + { + return true; + } + return false; } \ No newline at end of file