clones/Froxlor
1
0
Fork 0
mirror of https://github.com/Froxlor/Froxlor.git synced 2024-09-21 18:37:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

adding csrf-token to all forms

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann 2022-12-08 09:33:34 +01:00
parent fe37313b7b
commit 34e3290497
No known key found for this signature in database
GPG Key ID: C121F97338D7A352
9 changed files with 22 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/init.php
View File

@ -308,7 +308,18 @@ UI::twig()->addGlobal('page', $page);
UI::twig()->addGlobal('area', AREA);
UI::twig()->addGlobal('gSearchText', $gSearchText);
/**
* Initialize the mailingsystem
*/
// Initialize the mailingsystem
$mail = new Mailer(true);
// initialize csrf
if (CurrentUser::hasSession()) {
$new_token = Froxlor::genSessionId(20);
UI::twig()->addGlobal('csrf_token', $new_token);
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$current_token = $_POST['csrf_token'];
if ($current_token != CurrentUser::getField('csrf_token')) {
Response::dynamicError('CSRF validation failed');
}
}
CurrentUser::setField('csrf_token', $new_token);
}

1
templates/Froxlor/form/form.html.twig
View File

@ -26,6 +26,7 @@
{% if nosubmit == false %}
<!-- submit buttons -->
<div>
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
{% if hiddenid is not empty %}
<input type="hidden" name="id" value="{{ hiddenid }}"/>
{% endif %}

1
templates/Froxlor/form/yesnoquestion.html.twig
View File

@ -18,6 +18,7 @@
{% endif %}
{% endif %}
<p>
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="send" value="send"/>
{% for id,field in url_params %}
<input type="hidden" name="{{ id }}" value="{{ field }}"/>

1
templates/Froxlor/settings/detailpart.html.twig
View File

@ -27,6 +27,7 @@
</div>
<div>
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="page" value="{{ page }}"/>
<input type="hidden" name="action" value="{{ action }}"/>
<input type="hidden" name="send" value="send"/>

1
templates/Froxlor/user/2fa.html.twig
View File

@ -41,6 +41,7 @@
</div>
<div class="card-body d-grid gap-2">
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="page" value="{{ page }}"/>
<input type="hidden" name="send" value="send"/>
{% if userinfo.type_2fa == 0 %}

1
templates/Froxlor/user/change_language.html.twig
View File

@ -20,6 +20,7 @@
</div>
<div class="card-body d-grid gap-2">
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="page" value="{{ page }}"/>
<input type="hidden" name="send" value="send"/>
<button class="btn btn-primary rounded-top-0" type="submit" name="dosave">

1
templates/Froxlor/user/change_password.html.twig
View File

@ -43,6 +43,7 @@
</div>
<div class="card-body d-grid gap-2">
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="page" value="{{ page }}"/>
<input type="hidden" name="send" value="send"/>
<button class="btn btn-primary rounded-top-0" type="submit" name="dosave">

1
templates/Froxlor/user/change_theme.html.twig
View File

@ -19,6 +19,7 @@
</div>
<div class="card-body d-grid gap-2">
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="page" value="{{ page }}"/>
<input type="hidden" name="send" value="send"/>
<button class="btn btn-primary rounded-top-0" type="submit" name="dosave">

1
templates/Froxlor/user/error_report.html.twig
View File

@ -15,6 +15,7 @@
<code class="border rounded bg-white p-2 mb-3">{{ mail_html|nl2br }}</code>
<div>
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
<input type="hidden" name="send" value="send"/>
<div class="col-12 text-end">