diff --git a/TODO b/TODO index 6223546..9381b1d 100755 --- a/TODO +++ b/TODO @@ -1,7 +1,5 @@ * i18n * Vérification des variables dans les classes + throw exception -* tokens + ban system -* remember me * htmlspecialchars => on users objects * handle negative amounts * Refactor load method to avoir load_* methods ! diff --git a/inc/CSRF.inc.php b/inc/CSRF.inc.php new file mode 100644 index 0000000..8586b6c --- /dev/null +++ b/inc/CSRF.inc.php @@ -0,0 +1,21 @@ += (time() - $time)) + return true; + return false; + } diff --git a/index.php b/index.php index 0da2244..28530fc 100644 --- a/index.php +++ b/index.php @@ -7,6 +7,7 @@ require_once('inc/rain.tpl.class.php'); require_once('inc/functions.php'); require_once('inc/Banc.inc.php'); + require_once('inc/CSRF.inc.php'); raintpl::$tpl_dir = 'tpl/'; raintpl::$cache_dir = 'tmp/'; @@ -56,7 +57,7 @@ header('location: index.php?do=connect'); exit(); } - + // Initialize empty $_GET['do'] if required to avoid error if(empty($_GET['do'])) { $_GET['do'] = ''; @@ -69,7 +70,7 @@ header('location: index.php'); exit(); } - if(!empty($_POST['login']) && !empty($_POST['password'])) { + if(!empty($_POST['login']) && !empty($_POST['password']) && check_token(600, 'connection')) { $user = new User(); $user->setLogin($_POST['login']); if(ban_canLogin() == false) { @@ -101,9 +102,9 @@ } } } - $tpl->assign('connection', true); $tpl->assign('user_post', (!empty($_POST['login'])) ? htmlspecialchars($_POST['login']) : ''); - $tpl->draw('connexion'); + $tpl->assign('token', generate_token('connection')); + $tpl->draw('connection'); break; case 'disconnect': @@ -138,20 +139,22 @@ } if(!empty($_POST['login']) && !empty($_POST['display_name']) && (!empty($_POST['password']) || !empty($_POST['user_id'])) && isset($_POST['admin'])) { - $user = new User(); - if(!empty($_POST['user_id'])) { - $user->setId($_POST['user_id']); - } - $user->setLogin($_POST['login']); - $user->setDisplayName($_POST['display_name']); - if(!empty($_POST['password'])) { - $user->setPassword($user->encrypt($_POST['password'])); - } - $user->setAdmin($_POST['admin']); - $user->save(); + if(check_token('edit_users')) { + $user = new User(); + if(!empty($_POST['user_id'])) { + $user->setId($_POST['user_id']); + } + $user->setLogin($_POST['login']); + $user->setDisplayName($_POST['display_name']); + if(!empty($_POST['password'])) { + $user->setPassword($user->encrypt($_POST['password'])); + } + $user->setAdmin($_POST['admin']); + $user->save(); - header('location: index.php?do=edit_users'); - exit(); + header('location: index.php?do=edit_users'); + exit(); + } } if(!empty($_GET['user_id']) || $_GET['do'] == 'add_user') { @@ -174,6 +177,7 @@ $tpl->assign('login_post', (!empty($_POST['login']) ? htmlspecialchars($_POST['login']) : '')); $tpl->assign('display_name_post', (!empty($_POST['display_name']) ? htmlspecialchars($_POST['display_name']) : '')); $tpl->assign('admin_post', (isset($_POST['admin']) ? (int) $_POST['admin'] : -1)); + $tpl->assign('token', generate_token('edit_users')); $tpl->draw('edit_users'); break; @@ -202,7 +206,7 @@ break; case 'settings': - if(!empty($_POST['mysql_host']) && !empty($_POST['mysql_login']) && !empty($_POST['mysql_db']) && !empty($_POST['currency']) && !empty($_POST['instance_title']) && !empty($_POST['base_url']) && !empty($_POST['timezone']) && !empty($_POST['email_webmaster'])) { + if(!empty($_POST['mysql_host']) && !empty($_POST['mysql_login']) && !empty($_POST['mysql_db']) && !empty($_POST['currency']) && !empty($_POST['instance_title']) && !empty($_POST['base_url']) && !empty($_POST['timezone']) && !empty($_POST['email_webmaster']) && check_token(600, 'settings')) { if(!is_writable('data/')) { $tpl>assign('error', 'The script can\'t write in data/ dir, check permissions set on this folder.'); } @@ -246,6 +250,7 @@ $tpl->assign('mysql_prefix', MYSQL_PREFIX); $tpl->assign('timezone', @date_default_timezone_get()); $tpl->assign('show_settings', true); + $tpl->assign('token', generate_token('settings')); $tpl->draw('settings'); break; @@ -271,7 +276,7 @@ if(!empty($_POST['date_year'])) $date_year = $_POST['date_year']; if(!empty($_POST['users_in'])) $users_in = $_POST['users_in']; - if(!empty($_POST['what']) && !empty($_POST['amount']) && (float) $_POST['amount'] != 0 && !empty($_POST['date_day']) && !empty($_POST['date_month']) && !empty($_POST['date_year']) && !empty($_POST['users_in'])) { + if(!empty($_POST['what']) && !empty($_POST['amount']) && (float) $_POST['amount'] != 0 && !empty($_POST['date_day']) && !empty($_POST['date_month']) && !empty($_POST['date_year']) && !empty($_POST['users_in']) && check_token(600, 'new_invoice')) { $invoice = new Invoice(); if(!empty($_POST['id'])) @@ -312,6 +317,7 @@ $tpl->assign('users_in', (!empty($users_in) ? $users_in : array())); $tpl->assign('guests', (!empty($guests) ? $guests : array())); $tpl->assign('id', (!empty($_GET['id']) ? (int) $_GET['id'] : 0)); + $tpl->assign('token', generate_token('new_invoice')); $tpl->draw('new_invoice'); break; diff --git a/install.php b/install.php index bcd0575..77e36ee 100644 --- a/install.php +++ b/install.php @@ -1,4 +1,6 @@ />

Toggle visible

-

type="submit" value="Install">

+

type="submit" value="Install">

diff --git a/tpl/connexion.html b/tpl/connection.html similarity index 86% rename from tpl/connexion.html rename to tpl/connection.html index a75c421..f206ce4 100644 --- a/tpl/connexion.html +++ b/tpl/connection.html @@ -6,7 +6,7 @@

-

+

Forgotten password ?

diff --git a/tpl/edit_users.html b/tpl/edit_users.html index dbe1359..728823f 100644 --- a/tpl/edit_users.html +++ b/tpl/edit_users.html @@ -50,6 +50,7 @@

{if condition="$user_id != -1"}{/if} +

@@ -58,6 +59,6 @@

-

+

{/if} diff --git a/tpl/new_invoice.html b/tpl/new_invoice.html index b2c14fa..0c6e8c2 100755 --- a/tpl/new_invoice.html +++ b/tpl/new_invoice.html @@ -38,6 +38,7 @@

{if condition="$id != 0"}{/if} +

diff --git a/tpl/settings.html b/tpl/settings.html index e05ec47..8f19e8d 100644 --- a/tpl/settings.html +++ b/tpl/settings.html @@ -8,7 +8,10 @@

Note : You can use HTML formatting in this form.

- +

+ + +

{else} @@ -47,7 +50,7 @@

-

+

{/if}