CSRF protection

Added a simple CSRF protection
2013-08-24 23:53:52 +02:00 · 2013-08-24 23:53:52 +02:00 · c276d719cd
commit c276d719cd
parent f468fef559
8 changed files with 59 additions and 27 deletions
--- a/2
+++ b/2
@ -1,7 +1,5 @@
 * i18n
 * Vérification des variables dans les classes + throw exception
-* tokens + ban system
-* remember me
 * htmlspecialchars => on users objects
 * handle negative amounts
 * Refactor load method to avoir load_* methods !
--- a/inc/CSRF.inc.php
+++ b/inc/CSRF.inc.php
@ -0,0 +1,21 @@
+<?php
+    // Generates a token against CSRF
+    function generate_token($name = '')
+    {
+        if(session_id() == '') session_start();
+        $token = uniqid(rand(), true);
+        $_SESSION[$name.'_token'] = $token;
+        $_SESSION[$name.'_token_time'] = time();
+        return $token;
+    }
+
+    // Checks that the anti-CSRF token is correct
+    function check_token($time, $name = '')
+    {
+        if(session_id() == '') session_start();
+        if(isset($_SESSION[$name.'_token']) && isset($_SESSION[$name.'_token_time']) && isset($_POST['token']))
+            if($_SESSION[$name.'_token'] == $_POST['token'])
+                if($_SESSION[$name.'_token_time'] >= (time() - $time))
+                    return true;
+        return false;
+    }
--- a/index.php
+++ b/index.php
@ -7,6 +7,7 @@
    require_once('inc/rain.tpl.class.php');
    require_once('inc/functions.php');
    require_once('inc/Banc.inc.php');
+    require_once('inc/CSRF.inc.php');
    raintpl::$tpl_dir = 'tpl/';
    raintpl::$cache_dir = 'tmp/';

@ -69,7 +70,7 @@
                header('location: index.php');
                exit();
            }
-            if(!empty($_POST['login']) && !empty($_POST['password'])) {
+            if(!empty($_POST['login']) && !empty($_POST['password']) && check_token(600, 'connection')) {
                $user = new User();
                $user->setLogin($_POST['login']);
                if(ban_canLogin() == false) {
@ -101,9 +102,9 @@
                    }
                }
            }
-            $tpl->assign('connection', true);
            $tpl->assign('user_post', (!empty($_POST['login'])) ? htmlspecialchars($_POST['login']) : '');
-            $tpl->draw('connexion');
+            $tpl->assign('token', generate_token('connection'));
+            $tpl->draw('connection');
            break;

        case 'disconnect':
@ -138,6 +139,7 @@
            }

            if(!empty($_POST['login']) && !empty($_POST['display_name']) && (!empty($_POST['password']) || !empty($_POST['user_id'])) && isset($_POST['admin'])) {
+                if(check_token('edit_users')) {
                    $user = new User();
                    if(!empty($_POST['user_id'])) {
                        $user->setId($_POST['user_id']);
@ -153,6 +155,7 @@
                    header('location: index.php?do=edit_users');
                    exit();
                }
+            }
 
            if(!empty($_GET['user_id']) || $_GET['do'] == 'add_user') {
                if(!empty($_GET['user_id'])) {
@ -174,6 +177,7 @@
            $tpl->assign('login_post', (!empty($_POST['login']) ? htmlspecialchars($_POST['login']) : ''));
            $tpl->assign('display_name_post', (!empty($_POST['display_name']) ? htmlspecialchars($_POST['display_name']) : ''));
            $tpl->assign('admin_post', (isset($_POST['admin']) ? (int) $_POST['admin'] : -1));
+            $tpl->assign('token', generate_token('edit_users'));
            $tpl->draw('edit_users');
            break;

@ -202,7 +206,7 @@
            break;

        case 'settings':
-            if(!empty($_POST['mysql_host']) && !empty($_POST['mysql_login']) && !empty($_POST['mysql_db']) && !empty($_POST['currency']) && !empty($_POST['instance_title']) && !empty($_POST['base_url']) && !empty($_POST['timezone']) && !empty($_POST['email_webmaster'])) {
+            if(!empty($_POST['mysql_host']) && !empty($_POST['mysql_login']) && !empty($_POST['mysql_db']) && !empty($_POST['currency']) && !empty($_POST['instance_title']) && !empty($_POST['base_url']) && !empty($_POST['timezone']) && !empty($_POST['email_webmaster']) && check_token(600, 'settings')) {
                if(!is_writable('data/')) {
                    $tpl>assign('error', 'The script can\'t write in data/ dir, check permissions set on this folder.');
                }
@ -246,6 +250,7 @@
            $tpl->assign('mysql_prefix', MYSQL_PREFIX);
            $tpl->assign('timezone', @date_default_timezone_get());
            $tpl->assign('show_settings', true);
+            $tpl->assign('token', generate_token('settings'));
            $tpl->draw('settings');
            break;

@ -271,7 +276,7 @@
            if(!empty($_POST['date_year'])) $date_year = $_POST['date_year'];
            if(!empty($_POST['users_in'])) $users_in = $_POST['users_in'];

-            if(!empty($_POST['what']) && !empty($_POST['amount']) && (float) $_POST['amount'] != 0 && !empty($_POST['date_day']) && !empty($_POST['date_month']) && !empty($_POST['date_year']) && !empty($_POST['users_in'])) {
+            if(!empty($_POST['what']) && !empty($_POST['amount']) && (float) $_POST['amount'] != 0 && !empty($_POST['date_day']) && !empty($_POST['date_month']) && !empty($_POST['date_year']) && !empty($_POST['users_in']) && check_token(600, 'new_invoice')) {
                $invoice = new Invoice();

                if(!empty($_POST['id']))
@ -312,6 +317,7 @@
            $tpl->assign('users_in', (!empty($users_in) ? $users_in : array()));
            $tpl->assign('guests', (!empty($guests) ? $guests : array()));
            $tpl->assign('id', (!empty($_GET['id']) ? (int) $_GET['id'] : 0));
+            $tpl->assign('token', generate_token('new_invoice'));
            $tpl->draw('new_invoice');
            break;

--- a/install.php
+++ b/install.php
@ -1,4 +1,6 @@
 <?php
+    require_once('inc/CSRF.inc.php');
+
    if(file_exists('data/config.php')) exit("Your Bouffe@Ulm instance is already configured. You should either delete data/config.php to access this page or delete the install.php for security reasons if you are ok with the configuration.");

    if(!function_exists("file_get_contents") && !function_exists("file_put_contents")) {
@ -11,7 +13,7 @@
        $block_form = true;
    }

-    if(!empty($_POST['mysql_host']) && !empty($_POST['mysql_login']) && !empty($_POST['mysql_db']) && !empty($_POST['admin_login']) && !empty($_POST['admin_password']) && !empty($_POST['currency']) && !empty($_POST['instance_title']) && !empty($_POST['base_url']) && !empty($_POST['timezone']) && !empty($_POST['email_webmaster'])) {
+    if(!empty($_POST['mysql_host']) && !empty($_POST['mysql_login']) && !empty($_POST['mysql_db']) && !empty($_POST['admin_login']) && !empty($_POST['admin_password']) && !empty($_POST['currency']) && !empty($_POST['instance_title']) && !empty($_POST['base_url']) && !empty($_POST['timezone']) && !empty($_POST['email_webmaster']) && check_token(600, 'install')) {
        $mysql_host = $_POST['mysql_host'];
        $mysql_login = $_POST['mysql_login'];
        $mysql_db = $_POST['mysql_db'];
@ -139,7 +141,7 @@
                <p><label for="admin_display_name">Displayed name for admin user : </label><input type="text" name="admin_display_name" id="admin_display_name" <?php echo (!empty($_POST['admin_display_name']) ? 'value="'.htmlspecialchars($_POST['admin_display_name']).'"' : '');?>/></p>
                <p><label for="admin_password">Password for the admin : </label><input type="password" name="admin_password" id="admin_password"/> <a href="" onclick="toggle_password('admin_password'); return false;"><img src="img/toggle_password.jpg" alt="Toggle visible"/></a></p>
            </fieldset>
-            <p class="center"><input <?php echo (!empty($block_form)) ? 'disabled ' : '';?>type="submit" value="Install"></p>
+            <p class="center"><input <?php echo (!empty($block_form)) ? 'disabled ' : '';?>type="submit" value="Install"><input type="hidden" name="token" value="<?php echo generate_token('install');?>"/></p>
        </form>
    </body>
 </html>
--- a/tpl/connection.html
+++ b/tpl/connection.html
@ -6,7 +6,7 @@
    <p><label for="login" class="label-block">Username : </label><input type="text" name="login" id="login" value="{$user_post}"/></p>
    <p><label for="password" class="label-block">Password : </label><input type="password" name="password" id="password"/></p>
    <p><input type="checkbox" name="remember_me" id="remember_me" value="1"/><label for="remember_me"> Remember me ?</label></p>
-    <p><input type="submit" value="Connect"/></p>
+    <p><input type="submit" value="Connect"/><input type="hidden" name="token" value="{$token}"/></p>
    <p><a href="mailto:{$email_webmaster}?subject={$instance_title}%20password">Forgotten password ?</a></p>
 </form>

--- a/tpl/edit_users.html
+++ b/tpl/edit_users.html
@ -50,6 +50,7 @@
    <p class="center">
        <input type="submit" value="{$user_id != -1 ? 'Edit' : 'Add'}"/>
        {if condition="$user_id != -1"}<input type="hidden" name="user_id" value="{$user_id}"/>{/if}
+        <input type="hidden" name="token" value="{$token}"/>
    </p>
 </form>

@ -58,6 +59,6 @@
 <form method="post" action="index.php?do=password" id="edit_password_form">
    <p><label for="password" class="label-block">New password : </label><input type="password" id="password" name="password"/></p>
    <p><label for="password_confirm" class="label-block">Confirm new password : </label><input type="password" id="password_confirm" name="password_confirm"/></p>
-    <p class="center"><input type="submit" value="Update"/></p>
+    <p class="center"><input type="submit" value="Update"/><input type="hidden" name="token" value="{$token}"</p>
 </form>
 {/if}
--- a/tpl/new_invoice.html
+++ b/tpl/new_invoice.html
@ -38,6 +38,7 @@
    <p>
        <input type="submit" value="Add"/>
        {if condition="$id != 0"}<input type="hidden" name="id" value="{$id}"/>{/if}
+        <input type="hidden" name="token" value="{$token"}/>
    </p>
 </form>

--- a/tpl/settings.html
+++ b/tpl/settings.html
@ -8,7 +8,10 @@
        <textarea name="notice" rows="15" id="textarea_notice">{$notice}</textarea>
    </p>
    <p><em>Note :</em> You can use HTML formatting in this form.</p>
+    <p>
        <input type="submit" value="Submit"/>
+        <input type="hidden" name="token" value="{$token}"/>
+    </p>
 </form>

 {else}
@ -47,7 +50,7 @@
        </p>
        <p><label for="email_webmaster">Webmaster's email : </label><input type="text" name="email_webmaster" id="email_webmaster" value="{$email_webmaster}"/></p>
    </fieldset>
-    <p class="center"><input type="submit" value="Update settings"></p>
+    <p class="center"><input type="submit" value="Update settings"><input type="hidden" name="token" value="{$token}"/></p>
 </form>

 {/if}