Browse code

XSRF-kram fixed

git-svn-id: https://svn.schokokeks.org/repos/tools/webinterface/trunk@480 87cf0b9e-d624-0410-a070-f6ee81989793

bernd authored on01/06/2007 08:02:31
Showing5 changed files
... ...
@@ -17,7 +17,7 @@ function random_string($nc, $a='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV
17 17
 function are_you_sure($query_string, $question)
18 18
 {
19 19
   $token = random_string(20);
20
-  $_SESSION['random_token'] = $token;
20
+  $_SESSION['are_you_sure_token'] = $token;
21 21
   output("<form action=\"?{$query_string}\" method=\"post\">\n");
22 22
   output("<p class=\"confirmation\">{$question}<br />\n");
23 23
   output("<input type=\"hidden\" name=\"random_token\" value=\"{$token}\" />\n");
... ...
@@ -30,7 +30,7 @@ function user_is_sure()
30 30
 {
31 31
   if (isset($_POST['really']))
32 32
   {
33
-    if ($_POST['random_token'] == $_SESSION['random_token'])
33
+    if ($_POST['random_token'] == $_SESSION['are_you_sure_token'])
34 34
       return true;
35 35
     else
36 36
       system_failure("Possible Cross-site-request-forgery detected!");
... ...
@@ -43,4 +43,38 @@ function user_is_sure()
43 43
 
44 44
 
45 45
 
46
+function generate_form_token($form_id)
47
+{
48
+  require_once("inc/debug.php");
49
+  $sessid = session_id();
50
+  if ($sessid == "") 
51
+  {
52
+    DEBUG("Uh? Session not running? Wtf?");
53
+    return '';
54
+  }
55
+  if (! isset($_SESSION['session_token']))
56
+    $_SESSION['session_token'] = random_string(10);
57
+  $session_token = $_SESSION['session_token'];
58
+  $formtoken = hash('sha256', $sessid.$form_id.$session_token);
59
+  return '<input type="hidden" name="formtoken" value="'.$formtoken.'" />'."\n";
60
+}
61
+
62
+
63
+function check_form_token($form_id)
64
+{
65
+  $formtoken = $_POST['formtoken'];
66
+  $sessid = session_id();
67
+  if ($sessid == "") 
68
+  {
69
+    DEBUG("Uh? Session not running? Wtf?");
70
+    return '';
71
+  }
72
+
73
+  $session_token = $_SESSION['session_token'];
74
+  $correct_formtoken = hash('sha256', $sessid.$form_id.$session_token);
75
+
76
+  if (! ($formtoken == $correct_formtoken))
77
+    system_failure("Possible cross-site-request-forgery!");
78
+}
79
+
46 80
 ?>
... ...
@@ -35,6 +35,25 @@ function get_domain_names($customerno, $uid = NULL)
35 35
 }
36 36
 
37 37
 
38
+
39
+function get_domain_name($domid)
40
+{
41
+  if ($domid === NULL)
42
+    return 'schokokeks.org';
43
+  $domid = (int) $domid;
44
+  static $domainlist = array();
45
+
46
+  $query = "SELECT CONCAT_WS('.', domainname, tld) AS domainname FROM kundendaten.domains WHERE id=$domid;";
47
+  DEBUG($query);
48
+  $result = mysql_query($query);
49
+  if (@mysql_num_rows($result) > 0)
50
+    return mysql_fetch_object($result)->domainname;
51
+  else
52
+    return NULL;
53
+
54
+}
55
+
56
+
38 57
 /*
39 58
 function get_mail_virtualdomain($domain)
40 59
 {
... ...
@@ -21,6 +21,7 @@ if (isset($_GET['action']) && $_GET['action'] == 'save')
21 21
 {
22 22
   if (isset($_GET['id']))
23 23
   {
24
+    check_form_token('imap_accounts_edit');
24 25
     $account = $_POST['user'].'@'.$_POST['domain'];
25 26
     if (isset($_POST['enabled']) && $_POST['enabled'] == 'true')
26 27
       $enabled = 'Y';
... ...
@@ -47,6 +48,7 @@ if (isset($_GET['action']) && $_GET['action'] == 'save')
47 48
   }
48 49
   elseif (isset($_POST['create']))
49 50
   {
51
+    check_form_token('imap_accounts_create');
50 52
     $account = $_POST['user'].'@'.$_POST['domain'];
51 53
     if (isset($_POST['enabled']) && $_POST['enabled'] == 'true')
52 54
       $enabled = 'Y';
... ...
@@ -75,6 +77,7 @@ elseif (isset($_GET['action']) && $_GET['action'] == 'create')
75 77
   output('<h3>E-Mail-Account anlegen</h3>
76 78
 <p>Hier k&ouml;nnen Sie ein neues POP3/IMAP-Konto anlegen.</p>
77 79
   <form action="accounts.php?action=save&'.$param.'" method="post">
80
+  '.generate_form_token('imap_accounts_create').'
78 81
   <table style="margin-bottom: 1em;">
79 82
   <tr><th>Einstellung:</th><th>Wert:</th><th>&nbsp;</th></tr>
80 83
   <tr>
... ...
@@ -112,6 +115,7 @@ elseif (isset($_GET['action']) && $_GET['action'] == 'delete' && $_GET['account'
112 115
 {
113 116
   if ($_POST['confirm'] == 'yes')
114 117
   {
118
+    check_form_token('imap_accounts_delete');
115 119
     delete_mailaccount($_GET['account']);
116 120
     if (! $debugmode)
117 121
       header('Location: accounts.php');
... ...
@@ -126,6 +130,7 @@ elseif (isset($_GET['action']) && $_GET['action'] == 'delete' && $_GET['account'
126 130
     $account = get_mailaccount($_GET['account']);
127 131
     $enabled = ($account['enabled'] ? 'Ja' : 'Nein');
128 132
     output('<form action="accounts.php?action=delete&amp;account='.$_GET['account'].'&amp;'.$param.'" method="post">
133
+    '.generate_form_token('imap_accounts_delete').'
129 134
     <table style="margin-bottom: 1em;">
130 135
     <tr><td>Benutzername:</td>
131 136
       <td>'.$account['account'].'</td>
... ...
@@ -153,6 +158,7 @@ elseif (isset($_GET['edit']))
153 158
   list($username, $domain) = explode('@', $account['account'], 2);
154 159
   $enabled = ($account['enabled'] ? ' checked="checked"' : '');
155 160
   output('<form action="accounts.php?action=save&amp;id='.$_GET['edit'].'&amp;'.$param.'" method="post">
161
+  '.generate_form_token('imap_accounts_edit').'
156 162
   <table style="margin-bottom: 1em;">
157 163
   <tr><th>Einstellung:</th><th>alter Wert:</th><th>neuer Wert:</th><th>&nbsp;</th></tr>
158 164
   <tr><td>Benutzername:</td><td><input type="text" id="old_account" name="old_account" value="'.$account['account'].'" readonly="readonly" style="background-color: #C0C0C0;" /></td>
... ...
@@ -9,6 +9,7 @@ require_role(array(ROLE_SYSTEMUSER, ROLE_CUSTOMER));
9 9
 
10 10
 if ($_POST['password1'] != '')
11 11
 {
12
+  check_form_token('index_chpass');
12 13
   $result = NULL;
13 14
   switch ($_SESSION['role'])
14 15
   {
... ...
@@ -51,6 +52,7 @@ if ($_SESSION['role'] == ROLE_SYSTEMUSER)
51 52
 output('<h3>Passwort &auml;ndern</h3>
52 53
 <p>Hier k&ouml;nnen Sie Ihr Passwort &auml;ndern.</p>
53 54
 <form method="post" action="'.($debugmode ? '?debug' : '').'">
55
+'.generate_form_token('index_chpass').'
54 56
 <table>
55 57
   <tr>
56 58
     <td>bisheriges Passwort:</td>  <td><input type="password" name="old_password" value="" /></td>
... ...
@@ -52,6 +52,7 @@ if (isset($_GET['action']))
52 52
       }
53 53
       break;
54 54
     case 'change_pw':
55
+      check_form_token('mysql_databases_change_pw');
55 56
       set_mysql_password($_POST['mysql_username'], $_POST['mysql_password']);
56 57
       header("Location: ?");
57 58
       $output_something = false;
... ...
@@ -66,6 +67,7 @@ $users = get_mysql_accounts($_SESSION['userinfo']['uid']);
66 67
 
67 68
 if (isset($_POST['access']))
68 69
 {
70
+  check_form_token('mysql_databases_access');
69 71
   /* Eine neue Datenbank */
70 72
   if ($_POST['new_db'] != '')
71 73
   {
... ...
@@ -114,6 +116,7 @@ if ($output_something)
114 116
   In die leeren Eingabefelder k├Ânnen Sie den Namen eines neuen Benutzers bzw. einer neuen Datenbank eintragen. Sofern Sie noch keine Datenbank(en) oder Benutzer eingerichtet haben, erscheinen nur die Eingabefelder. Vergessen Sie nicht, nach der Erstellung eines neuen Benutzerkontos dem betreffenden Benutzer ein Passwort zu setzen (s. unten auf dieser Seite). Der Name von Datenbanken und Benutzern muss mit dem Namen des System-Benutzeraccounts ├╝bereinstimmen oder mit diesem und einem Nachfolgenden Unterstrich beginnen. Z.B. kann der System-Benutzer <em>bernd</em> die MySQL-Accounts <em>bernd</em> und <em>bernd_2</em> erzeugen.</p>');
115 117
 
116 118
   output('<form action="'.($debugmode ? '?debug': '').'" method="post">
119
+  '.generate_form_token('mysql_databases_access').'
117 120
   <table>
118 121
   <tr><th>&nbsp;</th><th style="background-color: #729bb3; color: #fff;padding: 0.2em;" colspan="'.(count($users)+1).'">Benutzerkonten</th></tr>
119 122
   <tr><th style="background-color: #729bb3; color: #fff;padding: 0.2em; text-align: left;">Datenbanken</th>');
... ...
@@ -151,6 +154,7 @@ if ($output_something)
151 154
 
152 155
   <p>
153 156
   <form action="?action=change_pw'.($debugmode ? '&amp;debug': '').'" method="post">
157
+  '.generate_form_token('mysql_databases_change_pw').'
154 158
   <label for="username">Benutzername:</label>&nbsp;<select name="mysql_username" id="username" height="1">
155 159
   ');
156 160
   foreach ($users as $user)