maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

adding csrf-token to all forms

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2022-12-08 09:33:34 +01:00
parent fe37313b7b
commit 34e3290497
9 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
lib/init.php
View File

@@ -308,7 +308,18 @@ UI::twig()->addGlobal('page', $page);
UI::twig()->addGlobal('area', AREA); UI::twig()->addGlobal('area', AREA);
UI::twig()->addGlobal('gSearchText', $gSearchText); UI::twig()->addGlobal('gSearchText', $gSearchText);
/** // Initialize the mailingsystem
* Initialize the mailingsystem
*/
$mail = new Mailer(true); $mail = new Mailer(true);
// initialize csrf
if (CurrentUser::hasSession()) {
$new_token = Froxlor::genSessionId(20);
UI::twig()->addGlobal('csrf_token', $new_token);
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$current_token = $_POST['csrf_token'];
if ($current_token != CurrentUser::getField('csrf_token')) {
Response::dynamicError('CSRF validation failed');
}
}
CurrentUser::setField('csrf_token', $new_token);
}

1
templates/Froxlor/form/form.html.twig
View File

@@ -26,6 +26,7 @@
{% if nosubmit == false %} {% if nosubmit == false %}
<!-- submit buttons --> <!-- submit buttons -->
<div> <div>
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
{% if hiddenid is not empty %} {% if hiddenid is not empty %}
<input type="hidden" name="id" value="{{ hiddenid }}"/> <input type="hidden" name="id" value="{{ hiddenid }}"/>
{% endif %} {% endif %}

1
templates/Froxlor/form/yesnoquestion.html.twig
View File

@@ -18,6 +18,7 @@
{% endif %} {% endif %}
{% endif %} {% endif %}
<p> <p>
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="send" value="send"/> <input type="hidden" name="send" value="send"/>
{% for id,field in url_params %} {% for id,field in url_params %}
<input type="hidden" name="{{ id }}" value="{{ field }}"/> <input type="hidden" name="{{ id }}" value="{{ field }}"/>

1
templates/Froxlor/settings/detailpart.html.twig
View File

@@ -27,6 +27,7 @@
</div> </div>
<div> <div>
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="page" value="{{ page }}"/> <input type="hidden" name="page" value="{{ page }}"/>
<input type="hidden" name="action" value="{{ action }}"/> <input type="hidden" name="action" value="{{ action }}"/>
<input type="hidden" name="send" value="send"/> <input type="hidden" name="send" value="send"/>

1
templates/Froxlor/user/2fa.html.twig
View File

@@ -41,6 +41,7 @@
</div> </div>
<div class="card-body d-grid gap-2"> <div class="card-body d-grid gap-2">
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="page" value="{{ page }}"/> <input type="hidden" name="page" value="{{ page }}"/>
<input type="hidden" name="send" value="send"/> <input type="hidden" name="send" value="send"/>
{% if userinfo.type_2fa == 0 %} {% if userinfo.type_2fa == 0 %}

1
templates/Froxlor/user/change_language.html.twig
View File

@@ -20,6 +20,7 @@
</div> </div>
<div class="card-body d-grid gap-2"> <div class="card-body d-grid gap-2">
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="page" value="{{ page }}"/> <input type="hidden" name="page" value="{{ page }}"/>
<input type="hidden" name="send" value="send"/> <input type="hidden" name="send" value="send"/>
<button class="btn btn-primary rounded-top-0" type="submit" name="dosave"> <button class="btn btn-primary rounded-top-0" type="submit" name="dosave">

1
templates/Froxlor/user/change_password.html.twig
View File

@@ -43,6 +43,7 @@
</div> </div>
<div class="card-body d-grid gap-2"> <div class="card-body d-grid gap-2">
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="page" value="{{ page }}"/> <input type="hidden" name="page" value="{{ page }}"/>
<input type="hidden" name="send" value="send"/> <input type="hidden" name="send" value="send"/>
<button class="btn btn-primary rounded-top-0" type="submit" name="dosave"> <button class="btn btn-primary rounded-top-0" type="submit" name="dosave">

1
templates/Froxlor/user/change_theme.html.twig
View File

@@ -19,6 +19,7 @@
</div> </div>
<div class="card-body d-grid gap-2"> <div class="card-body d-grid gap-2">
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="page" value="{{ page }}"/> <input type="hidden" name="page" value="{{ page }}"/>
<input type="hidden" name="send" value="send"/> <input type="hidden" name="send" value="send"/>
<button class="btn btn-primary rounded-top-0" type="submit" name="dosave"> <button class="btn btn-primary rounded-top-0" type="submit" name="dosave">

1
templates/Froxlor/user/error_report.html.twig
View File

@@ -15,6 +15,7 @@
<code class="border rounded bg-white p-2 mb-3">{{ mail_html|nl2br }}</code> <code class="border rounded bg-white p-2 mb-3">{{ mail_html|nl2br }}</code>
<div> <div>
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="send" value="send"/> <input type="hidden" name="send" value="send"/>
<div class="col-12 text-end"> <div class="col-12 text-end">