mirror of
https://github.com/Froxlor/Froxlor.git
synced 2024-09-21 18:37:30 +00:00
adding csrf-token to all forms
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
parent
fe37313b7b
commit
34e3290497
17
lib/init.php
17
lib/init.php
@ -308,7 +308,18 @@ UI::twig()->addGlobal('page', $page);
|
||||
UI::twig()->addGlobal('area', AREA);
|
||||
UI::twig()->addGlobal('gSearchText', $gSearchText);
|
||||
|
||||
/**
|
||||
* Initialize the mailingsystem
|
||||
*/
|
||||
// Initialize the mailingsystem
|
||||
$mail = new Mailer(true);
|
||||
|
||||
// initialize csrf
|
||||
if (CurrentUser::hasSession()) {
|
||||
$new_token = Froxlor::genSessionId(20);
|
||||
UI::twig()->addGlobal('csrf_token', $new_token);
|
||||
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
$current_token = $_POST['csrf_token'];
|
||||
if ($current_token != CurrentUser::getField('csrf_token')) {
|
||||
Response::dynamicError('CSRF validation failed');
|
||||
}
|
||||
}
|
||||
CurrentUser::setField('csrf_token', $new_token);
|
||||
}
|
||||
|
@ -26,6 +26,7 @@
|
||||
{% if nosubmit == false %}
|
||||
<!-- submit buttons -->
|
||||
<div>
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
|
||||
{% if hiddenid is not empty %}
|
||||
<input type="hidden" name="id" value="{{ hiddenid }}"/>
|
||||
{% endif %}
|
||||
|
@ -18,6 +18,7 @@
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
<p>
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
|
||||
<input type="hidden" name="send" value="send"/>
|
||||
{% for id,field in url_params %}
|
||||
<input type="hidden" name="{{ id }}" value="{{ field }}"/>
|
||||
|
@ -27,6 +27,7 @@
|
||||
</div>
|
||||
|
||||
<div>
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
|
||||
<input type="hidden" name="page" value="{{ page }}"/>
|
||||
<input type="hidden" name="action" value="{{ action }}"/>
|
||||
<input type="hidden" name="send" value="send"/>
|
||||
|
@ -41,6 +41,7 @@
|
||||
</div>
|
||||
|
||||
<div class="card-body d-grid gap-2">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
|
||||
<input type="hidden" name="page" value="{{ page }}"/>
|
||||
<input type="hidden" name="send" value="send"/>
|
||||
{% if userinfo.type_2fa == 0 %}
|
||||
|
@ -20,6 +20,7 @@
|
||||
</div>
|
||||
|
||||
<div class="card-body d-grid gap-2">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
|
||||
<input type="hidden" name="page" value="{{ page }}"/>
|
||||
<input type="hidden" name="send" value="send"/>
|
||||
<button class="btn btn-primary rounded-top-0" type="submit" name="dosave">
|
||||
|
@ -43,6 +43,7 @@
|
||||
</div>
|
||||
|
||||
<div class="card-body d-grid gap-2">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
|
||||
<input type="hidden" name="page" value="{{ page }}"/>
|
||||
<input type="hidden" name="send" value="send"/>
|
||||
<button class="btn btn-primary rounded-top-0" type="submit" name="dosave">
|
||||
|
@ -19,6 +19,7 @@
|
||||
</div>
|
||||
|
||||
<div class="card-body d-grid gap-2">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
|
||||
<input type="hidden" name="page" value="{{ page }}"/>
|
||||
<input type="hidden" name="send" value="send"/>
|
||||
<button class="btn btn-primary rounded-top-0" type="submit" name="dosave">
|
||||
|
@ -15,6 +15,7 @@
|
||||
<code class="border rounded bg-white p-2 mb-3">{{ mail_html|nl2br }}</code>
|
||||
|
||||
<div>
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
|
||||
<input type="hidden" name="send" value="send"/>
|
||||
|
||||
<div class="col-12 text-end">
|
||||
|
Loading…
Reference in New Issue
Block a user