kiduc
/
bibiuc.com
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 59 Wiki Activity
Browse Source

added CSRF Token

pull/57/head
Matthias Vogel 11 years ago
parent
630fe3fc3f
commit
e852052790
11 changed files with 88 additions and 16 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -0
      system/admin/views/add-page.html.php
  2. +1
    -0
      system/admin/views/add-post.html.php
  3. +1
    -0
      system/admin/views/delete-page.html.php
  4. +1
    -0
      system/admin/views/delete-post.html.php
  5. +1
    -0
      system/admin/views/edit-page.html.php
  6. +1
    -0
      system/admin/views/edit-post.html.php
  7. +1
    -0
      system/admin/views/edit-profile.html.php
  8. +1
    -0
      system/admin/views/import.html.php
  9. +1
    -0
      system/admin/views/login.html.php
  10. +56
    -16
      system/htmly.php
  11. +23
    -0
      system/includes/functions.php

+ 1
- 0
system/admin/views/add-page.html.php View File

@ -13,6 +13,7 @@
<br><br>
<div id="wmd-button-bar" class="wmd-button-bar"></div>
<textarea id="wmd-input" class="wmd-input <?php if (isset($postContent)) { if (empty($postContent)) { echo 'error';}} ?>" name="content" cols="20" rows="10"><?php if (isset($postContent)) { echo $postContent;} ?></textarea><br/>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" class="submit" value="Publish"/>
</form>
</div>


+ 1
- 0
system/admin/views/add-post.html.php View File

@ -14,6 +14,7 @@
<br><br>
<div id="wmd-button-bar" class="wmd-button-bar"></div>
<textarea id="wmd-input" class="wmd-input <?php if (isset($postContent)) { if (empty($postContent)) { echo 'error';}} ?>" name="content" cols="20" rows="10"><?php if (isset($postContent)) { echo $postContent;} ?></textarea><br/>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" class="submit" value="Publish"/>
</form>
</div>


+ 1
- 0
system/admin/views/delete-page.html.php View File

@ -27,6 +27,7 @@
<?php echo '<p>Are you sure want to delete <strong>' . $p->title . '</strong>?</p>';?>
<form method="POST">
<input type="hidden" name="file" value="<?php echo $p->file ?>"/><br>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" value="Delete"/>
<span><a href="<?php echo $back ?>">Cancel</a></span>
</form>

+ 1
- 0
system/admin/views/delete-post.html.php View File

@ -34,6 +34,7 @@
<?php echo '<p>Are you sure want to delete <strong>' . $p->title . '</strong>?</p>';?>
<form method="POST">
<input type="hidden" name="file" value="<?php echo $p->file ?>"/><br>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" value="Delete"/>
<span><a href="<?php echo $back ?>">Cancel</a></span>
</form>

+ 1
- 0
system/admin/views/edit-page.html.php View File

@ -45,6 +45,7 @@
<div id="wmd-button-bar" class="wmd-button-bar"></div>
<textarea id="wmd-input" class="wmd-input <?php if (isset($postContent)) { if (empty($postContent)) { echo 'error';}} ?>" name="content" cols="20" rows="10"><?php echo $oldcontent ?></textarea><br>
<input type="hidden" name="oldfile" class="text" value="<?php echo $url ?>"/>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" class="submit" value="Save"/> <a href="<?php echo $delete?>">Delete</a>
</form>
</div>


+ 1
- 0
system/admin/views/edit-post.html.php View File

@ -60,6 +60,7 @@
<div id="wmd-button-bar" class="wmd-button-bar"></div>
<textarea id="wmd-input" class="wmd-input <?php if (isset($postContent)) { if (empty($postContent)) { echo 'error';}} ?>" name="content" cols="20" rows="10"><?php echo $oldcontent ?></textarea><br>
<input type="hidden" name="oldfile" class="text" value="<?php echo $url ?>"/>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" class="submit" value="Save"/> <a href="<?php echo $delete?>">Delete</a>
</form>
</div>


+ 1
- 0
system/admin/views/edit-profile.html.php View File

@ -37,6 +37,7 @@
Title <span class="required">*</span> <br><input type="text" name="title" class="text <?php if (isset($postTitle)) { if (empty($postTitle)) { echo 'error';}} ?>" value="<?php echo $oldtitle?>"/><br><br>
<div id="wmd-button-bar" class="wmd-button-bar"></div>
<textarea id="wmd-input" class="wmd-input <?php if (isset($postContent)) { if (empty($postContent)) { echo 'error';}} ?>" name="content" cols="20" rows="10"><?php echo $oldcontent ?></textarea><br>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" class="submit" value="Save"/>
</form>
</div>


+ 1
- 0
system/admin/views/import.html.php View File

@ -6,5 +6,6 @@
<form method="POST">
Feed Url <span class="required">*</span> <br><input type="url" class="text <?php if (isset($url)) { if (empty($url)) { echo 'error';}} ?>" name="url"/><br><br>
Add source link (optional) <input type="checkbox" class="checkbox" name="credit" value="yes"/><br><br>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" class="submit" value="Import"/>
</form>

+ 1
- 0
system/admin/views/login.html.php View File

@ -8,6 +8,7 @@
<input type="text" class="<?php if (isset($username)) { if (empty($username)) { echo 'error';}} ?>" name="user"/><br><br>
Password <span class="required">*</span> <br>
<input type="password" class="<?php if (isset($password)) { if (empty($password)) { echo 'error';}} ?>" name="password"/><br><br>
<input type="hidden" name="csrf_token" value="<?php echo get_csrf()?>">
<input type="submit" name="submit" value="Login"/>
</form>
<?php } else {header('location: admin');} ?>

+ 56
- 16
system/htmly.php View File

@ -58,9 +58,11 @@ get('/index', function () {
// Get submitted login data
post('/login', function() {
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$user = from($_REQUEST, 'user');
$pass = from($_REQUEST, 'password');
if(!empty($user) && !empty($pass)) {
if($proper && !empty($user) && !empty($pass)) {
session($user, $pass, null);
$log = session($user, $pass, null);
@ -85,6 +87,9 @@ post('/login', function() {
if (empty($pass)) {
$message['error'] .= '<li>Password field is required.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');
@ -193,6 +198,8 @@ get('/:year/:month/:name/edit', function($year, $month, $name){
// Get edited data for blog post
post('/:year/:month/:name/edit', function() {
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$title = from($_REQUEST, 'title');
$tag = from($_REQUEST, 'tag');
@ -200,7 +207,7 @@ post('/:year/:month/:name/edit', function() {
$content = from($_REQUEST, 'content');
$oldfile = from($_REQUEST, 'oldfile');
$destination = from($_GET, 'destination');
if(!empty($title) && !empty($tag) && !empty($content)) {
if($proper && !empty($title) && !empty($tag) && !empty($content)) {
if(!empty($url)) {
edit_post($title, $tag, $url, $content, $oldfile, $destination);
}
@ -220,6 +227,9 @@ post('/:year/:month/:name/edit', function() {
if (empty($content)) {
$message['error'] .= '<li>Content field is required.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');
render('edit-post',array(
@ -280,10 +290,13 @@ get('/:year/:month/:name/delete', function($year, $month, $name){
// Get deleted data for blog post
post('/:year/:month/:name/delete', function() {
$file = from($_REQUEST, 'file');
$destination = from($_GET, 'destination');
delete_post($file, $destination);
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
if($proper)
{
$file = from($_REQUEST, 'file');
$destination = from($_GET, 'destination');
delete_post($file, $destination);
}
});
// The author page
@ -356,11 +369,13 @@ get('/edit/profile', function(){
// Get edited data for static page
post('/edit/profile', function() {
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$user = $_SESSION[config("site.url")]['user'];
$title = from($_REQUEST, 'title');
$content = from($_REQUEST, 'content');
if(!empty($title) && !empty($content)) {
if($proper && !empty($title) && !empty($content)) {
edit_profile($title, $content, $user);
}
else {
@ -371,6 +386,9 @@ post('/edit/profile', function() {
if (empty($content)) {
$message['error'] .= '<li>Content field is required.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');
render('edit-profile',array(
@ -627,13 +645,14 @@ get('/:static/edit', function($static){
// Get edited data for static page
post('/:static/edit', function() {
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$title = from($_REQUEST, 'title');
$url = from($_REQUEST, 'url');
$content = from($_REQUEST, 'content');
$oldfile = from($_REQUEST, 'oldfile');
$destination = from($_GET, 'destination');
if(!empty($title) && !empty($content)) {
if($proper && !empty($title) && !empty($content)) {
if(!empty($url)) {
edit_page($title, $url, $content, $oldfile, $destination);
}
@ -650,6 +669,9 @@ post('/:static/edit', function() {
if (empty($content)) {
$message['error'] .= '<li>Content field is required.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');
render('edit-page',array(
@ -697,10 +719,13 @@ get('/:static/delete', function($static){
// Get deleted data for static page
post('/:static/delete', function() {
$file = from($_REQUEST, 'file');
$destination = from($_GET, 'destination');
delete_page($file, $destination);
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
if($proper)
{
$file = from($_REQUEST, 'file');
$destination = from($_GET, 'destination');
delete_page($file, $destination);
}
});
// Add blog post
@ -725,12 +750,14 @@ get('/add/post', function(){
// Get submitted blog post data
post('/add/post', function(){
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$title = from($_REQUEST, 'title');
$tag = from($_REQUEST, 'tag');
$url = from($_REQUEST, 'url');
$content = from($_REQUEST, 'content');
$user = $_SESSION[config("site.url")]['user'];
if(!empty($title) && !empty($tag) && !empty($content)) {
if($proper && !empty($title) && !empty($tag) && !empty($content)) {
if(!empty($url)) {
add_post($title, $tag, $url, $content, $user);
}
@ -750,6 +777,9 @@ post('/add/post', function(){
if (empty($content)) {
$message['error'] .= '<li>Content field is required.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');
render('add-post',array(
'head_contents' => head_contents('Add post - ' . blog_title(), blog_description(), site_url()),
@ -787,10 +817,12 @@ get('/add/page', function(){
// Get submitted static page data
post('/add/page', function(){
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$title = from($_REQUEST, 'title');
$url = from($_REQUEST, 'url');
$content = from($_REQUEST, 'content');
if(!empty($title) && !empty($content)) {
if($proper && !empty($title) && !empty($content)) {
if(!empty($url)) {
add_page($title, $url, $content);
}
@ -807,6 +839,9 @@ post('/add/page', function(){
if (empty($content)) {
$message['error'] .= '<li>Content field is required.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');
render('add-page',array(
'head_contents' => head_contents('Add page - ' . blog_title(), blog_description(), site_url()),
@ -840,6 +875,8 @@ get('/admin/import',function(){
// Get import post
post('/admin/import', function() {
$proper = is_csrf_proper(from($_REQUEST, 'csrf_token'));
$url = from($_REQUEST, 'url');
$credit = from($_REQUEST, 'credit');
@ -865,6 +902,9 @@ post('/admin/import', function() {
if(empty($url)) {
$message['error'] .= '<li>You need to specify the feed url.</li>';
}
if(! $proper ) {
$message['error'] .= '<li>CSRF Token not correct.</li>';
}
config('views.root', 'system/admin/views');


+ 23
- 0
system/includes/functions.php View File

@ -1702,4 +1702,27 @@ function file_cache($request) {
readfile($cachefile);
die;
}
}
function generate_csrf_token()
{
$_SESSION[config("site.url")]['csrf_token'] = sha1(microtime(true).mt_rand(10000,90000));
}
function get_csrf()
{
if(! isset($_SESSION[config("site.url")]['csrf_token']) || empty($_SESSION[config("site.url")]['csrf_token']))
{
generate_csrf_token();
}
return $_SESSION[config("site.url")]['csrf_token'];
}
function is_csrf_proper($csrf_token)
{
if($csrf_token == get_csrf())
{
return true;
}
return false;
}

Write Preview
Loading…
Cancel
Save