From 34e3290497fc16ee1902e2ae06d489e1d62665e0 Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <d00p@froxlor.org>
Date: Thu, 8 Dec 2022 09:33:34 +0100
Subject: [PATCH] adding csrf-token to all forms

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
---
 lib/init.php                                    | 17 ++++++++++++++---
 templates/Froxlor/form/form.html.twig           |  1 +
 templates/Froxlor/form/yesnoquestion.html.twig  |  1 +
 templates/Froxlor/settings/detailpart.html.twig |  1 +
 templates/Froxlor/user/2fa.html.twig            |  1 +
 .../Froxlor/user/change_language.html.twig      |  1 +
 .../Froxlor/user/change_password.html.twig      |  1 +
 templates/Froxlor/user/change_theme.html.twig   |  1 +
 templates/Froxlor/user/error_report.html.twig   |  1 +
 9 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/lib/init.php b/lib/init.php
index 25e7a67b..fc57a956 100644
--- a/lib/init.php
+++ b/lib/init.php
@@ -308,7 +308,18 @@ UI::twig()->addGlobal('page', $page);
 UI::twig()->addGlobal('area', AREA);
 UI::twig()->addGlobal('gSearchText', $gSearchText);
 
-/**
- * Initialize the mailingsystem
- */
+// Initialize the mailingsystem
 $mail = new Mailer(true);
+
+// initialize csrf
+if (CurrentUser::hasSession()) {
+	$new_token = Froxlor::genSessionId(20);
+	UI::twig()->addGlobal('csrf_token', $new_token);
+	if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+		$current_token = $_POST['csrf_token'];
+		if ($current_token != CurrentUser::getField('csrf_token')) {
+			Response::dynamicError('CSRF validation failed');
+		}
+	}
+	CurrentUser::setField('csrf_token', $new_token);
+}
diff --git a/templates/Froxlor/form/form.html.twig b/templates/Froxlor/form/form.html.twig
index b4925c65..381ce161 100644
--- a/templates/Froxlor/form/form.html.twig
+++ b/templates/Froxlor/form/form.html.twig
@@ -26,6 +26,7 @@
 		{% if nosubmit == false %}
 			<!-- submit buttons -->
 			<div>
+				<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
 				{% if hiddenid is not empty %}
 					<input type="hidden" name="id" value="{{ hiddenid }}"/>
 				{% endif %}
diff --git a/templates/Froxlor/form/yesnoquestion.html.twig b/templates/Froxlor/form/yesnoquestion.html.twig
index 326f3735..077719f6 100644
--- a/templates/Froxlor/form/yesnoquestion.html.twig
+++ b/templates/Froxlor/form/yesnoquestion.html.twig
@@ -18,6 +18,7 @@
 				{% endif %}
 			{% endif %}
 			<p>
+				<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
 				<input type="hidden" name="send" value="send"/>
 				{% for id,field in url_params %}
 					<input type="hidden" name="{{ id }}" value="{{ field }}"/>
diff --git a/templates/Froxlor/settings/detailpart.html.twig b/templates/Froxlor/settings/detailpart.html.twig
index 7c1ec438..1ba98a66 100644
--- a/templates/Froxlor/settings/detailpart.html.twig
+++ b/templates/Froxlor/settings/detailpart.html.twig
@@ -27,6 +27,7 @@
 	</div>
 
 	<div>
+		<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
 		<input type="hidden" name="page" value="{{ page }}"/>
 		<input type="hidden" name="action" value="{{ action }}"/>
 		<input type="hidden" name="send" value="send"/>
diff --git a/templates/Froxlor/user/2fa.html.twig b/templates/Froxlor/user/2fa.html.twig
index c03998c2..331490a1 100644
--- a/templates/Froxlor/user/2fa.html.twig
+++ b/templates/Froxlor/user/2fa.html.twig
@@ -41,6 +41,7 @@
 					</div>
 
 					<div class="card-body d-grid gap-2">
+						<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
 						<input type="hidden" name="page" value="{{ page }}"/>
 						<input type="hidden" name="send" value="send"/>
 						{% if userinfo.type_2fa == 0 %}
diff --git a/templates/Froxlor/user/change_language.html.twig b/templates/Froxlor/user/change_language.html.twig
index a03fde01..c035f1f9 100644
--- a/templates/Froxlor/user/change_language.html.twig
+++ b/templates/Froxlor/user/change_language.html.twig
@@ -20,6 +20,7 @@
 					</div>
 
 					<div class="card-body d-grid gap-2">
+						<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
 						<input type="hidden" name="page" value="{{ page }}"/>
 						<input type="hidden" name="send" value="send"/>
 						<button class="btn btn-primary rounded-top-0" type="submit" name="dosave">
diff --git a/templates/Froxlor/user/change_password.html.twig b/templates/Froxlor/user/change_password.html.twig
index 2c3524f0..49d49761 100644
--- a/templates/Froxlor/user/change_password.html.twig
+++ b/templates/Froxlor/user/change_password.html.twig
@@ -43,6 +43,7 @@
 					</div>
 
 					<div class="card-body d-grid gap-2">
+						<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
 						<input type="hidden" name="page" value="{{ page }}"/>
 						<input type="hidden" name="send" value="send"/>
 						<button class="btn btn-primary rounded-top-0" type="submit" name="dosave">
diff --git a/templates/Froxlor/user/change_theme.html.twig b/templates/Froxlor/user/change_theme.html.twig
index cbfe7b66..12ecae79 100644
--- a/templates/Froxlor/user/change_theme.html.twig
+++ b/templates/Froxlor/user/change_theme.html.twig
@@ -19,6 +19,7 @@
 					</div>
 
 					<div class="card-body d-grid gap-2">
+						<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
 						<input type="hidden" name="page" value="{{ page }}"/>
 						<input type="hidden" name="send" value="send"/>
 						<button class="btn btn-primary rounded-top-0" type="submit" name="dosave">
diff --git a/templates/Froxlor/user/error_report.html.twig b/templates/Froxlor/user/error_report.html.twig
index 533cdfcb..815fbefa 100644
--- a/templates/Froxlor/user/error_report.html.twig
+++ b/templates/Froxlor/user/error_report.html.twig
@@ -15,6 +15,7 @@
 		<code class="border rounded bg-white p-2 mb-3">{{ mail_html|nl2br }}</code>
 
 		<div>
+			<input type="hidden" name="csrf_token" value="{{ csrf_token }}"/>
 			<input type="hidden" name="send" value="send"/>
 
 			<div class="col-12 text-end">