Add CSRF protection include

2025-12-26 23:26:47 +01:00 · 2025-03-26 04:05:39 -07:00
parent 4a4506a913
commit 0960e8bac9
24 changed files with 70 additions and 75 deletions
--- a/ajax/adblock/update_blocklist.php
+++ b/ajax/adblock/update_blocklist.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/bandwidth/get_bandwidth.php
+++ b/ajax/bandwidth/get_bandwidth.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/bandwidth/get_bandwidth_hourly.php
+++ b/ajax/bandwidth/get_bandwidth_hourly.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/logging/clearlog.php
+++ b/ajax/logging/clearlog.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/networking/do_sys_reset.php
+++ b/ajax/networking/do_sys_reset.php
@@ -1,37 +1,29 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/config.php';
 require_once '../../includes/session.php';
 require_once '../../includes/authenticate.php';
-require_once '../../includes/session.php';
 require_once '../../includes/functions.php';

-if (isset($_POST['csrf_token'])) {
-    if ($token->csrfValidateRequest() && !$token->CSRFValidate()) {
-        $token->handleInvalidCSRFToken();
-    }
-    $return = 0;
-    $path = "../../config";
-    $configs = array(
-        array("src" => $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG),
-        array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG),
-        array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'),
-        array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'),
-    );
+$return = 0;
+$path = "../../config";
+$configs = array(
+    array("src" => $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG),
+    array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG),
+    array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'),
+    array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'),
+);

-    foreach ($configs as $config) {
-        try {
-            $tmp = file_get_contents($config["src"]);
-            file_put_contents($config["tmp"], $tmp);
-            system("sudo cp ".$config["tmp"]. " ".$config["dest"]);
-        } catch (Exception $e) {
-            $return = $e->getCode();
-        }
+foreach ($configs as $config) {
+    try {
+        $tmp = file_get_contents($config["src"]);
+        file_put_contents($config["tmp"], $tmp);
+        system("sudo cp ".$config["tmp"]. " ".$config["dest"]);
+    } catch (Exception $e) {
+        $return = $e->getCode();
    }
-    $jsonData = ['return'=>$return];
-    echo json_encode($jsonData);
-
-} else {
-    $token->handleInvalidCSRFToken();
 }
+$jsonData = ['return'=>$return];
+echo json_encode($jsonData);

--- a/ajax/networking/get_all_interfaces.php
+++ b/ajax/networking/get_all_interfaces.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/networking/get_channel.php
+++ b/ajax/networking/get_channel.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
@@ -16,3 +17,4 @@ foreach ($hostapdconfig as $hostapdconfigline) {
 };
 $channel = intval($arrConfig['channel']);
 echo json_encode($channel);
+
--- a/ajax/networking/get_frequencies.php
+++ b/ajax/networking/get_frequencies.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/networking/get_ip_summary.php
+++ b/ajax/networking/get_ip_summary.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/functions.php';
 require_once '../../includes/config.php';
--- a/ajax/networking/get_netcfg.php
+++ b/ajax/networking/get_netcfg.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/networking/get_nl80211_band.php
+++ b/ajax/networking/get_nl80211_band.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/networking/get_wgcfg.php
+++ b/ajax/networking/get_wgcfg.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/networking/get_wgkey.php
+++ b/ajax/networking/get_wgkey.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/networking/wifi_stations.php
+++ b/ajax/networking/wifi_stations.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/openvpn/activate_ovpncfg.php
+++ b/ajax/openvpn/activate_ovpncfg.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/openvpn/del_ovpncfg.php
+++ b/ajax/openvpn/del_ovpncfg.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/plugins/do_plugin_install.php
+++ b/ajax/plugins/do_plugin_install.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/session/do_check_session.php
+++ b/ajax/session/do_check_session.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
--- a/ajax/system/sys_actions.php
+++ b/ajax/system/sys_actions.php
@@ -1,9 +1,8 @@
 <?php
-
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
 require_once '../../includes/authenticate.php';

 $action = escapeshellcmd($_POST['a']);
--- a/ajax/system/sys_chk_update.php
+++ b/ajax/system/sys_chk_update.php
@@ -1,27 +1,22 @@
 <?php
-
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
+require_once '../../includes/authenticate.php';
 require_once '../../includes/defaults.php';
+require_once '../../includes/functions.php';

-if (isset($_POST['csrf_token'])) {
-    if (csrfValidateRequest() && !CSRFValidate()) {
-        handleInvalidCSRFToken();
-    }
-    $uri = RASPI_API_ENDPOINT;
-    preg_match('/(\d+(\.\d+)+)/', RASPI_VERSION, $matches);
-    $thisRelease = $matches[0];
+$uri = RASPI_API_ENDPOINT;
+preg_match('/(\d+(\.\d+)+)/', RASPI_VERSION, $matches);
+$thisRelease = $matches[0];

-    $json = shell_exec("wget --timeout=5 --tries=1 $uri -qO -");
-    $data = json_decode($json, true);
-    $tagName = $data['tag_name'];
-    $updateAvailable = checkReleaseVersion($thisRelease, $tagName);
+$json = shell_exec("wget --timeout=5 --tries=1 $uri -qO -");
+$data = json_decode($json, true);
+$tagName = $data['tag_name'];
+$updateAvailable = checkReleaseVersion($thisRelease, $tagName);

-    $response['tag'] = $tagName;
-    $response['update'] = $updateAvailable;
-    echo json_encode($response);
+$response['tag'] = $tagName;
+$response['update'] = $updateAvailable;
+echo json_encode($response);

-} else {
-    handleInvalidCSRFToken();
-}
--- a/ajax/system/sys_debug.php
+++ b/ajax/system/sys_debug.php
@@ -1,25 +1,18 @@
 <?php
-
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
 require_once '../../includes/authenticate.php';

-if (isset($_POST['csrf_token'])) {
-    if (csrfValidateRequest() && !CSRFValidate()) {
-        handleInvalidCSRFToken();
-    }
-    $root = getenv("DOCUMENT_ROOT");
-    exec('sudo '.RASPI_CONFIG.'/system/debuglog.sh -i '.$root, $return);
+$root = getenv("DOCUMENT_ROOT");
+exec('sudo '.RASPI_CONFIG.'/system/debuglog.sh -i '.$root, $return);
+
+$logOutput = implode(PHP_EOL, $return);
+$tempDir = sys_get_temp_dir();
+$filePath = $tempDir . DIRECTORY_SEPARATOR . RASPI_DEBUG_LOG;
+$handle = fopen($filePath, "w");
+fwrite($handle, $logOutput);
+fclose($handle);
+echo json_encode($filePath);

-    $logOutput = implode(PHP_EOL, $return);
-    $tempDir = sys_get_temp_dir();
-    $filePath = $tempDir . DIRECTORY_SEPARATOR . RASPI_DEBUG_LOG;
-    $handle = fopen($filePath, "w");
-    fwrite($handle, $logOutput);
-    fclose($handle);
-    echo json_encode($filePath);
-} else {
-    handleInvalidCSRFToken();
-}
--- a/ajax/system/sys_get_logfile.php
+++ b/ajax/system/sys_get_logfile.php
@@ -1,9 +1,8 @@
 <?php
-
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
 require_once '../../includes/authenticate.php';

 $tempDir = sys_get_temp_dir();
--- a/ajax/system/sys_perform_update.php
+++ b/ajax/system/sys_perform_update.php
@@ -1,9 +1,8 @@
 <?php
-
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
 require_once '../../includes/authenticate.php';

 if (isset($_POST['csrf_token'])) {
--- a/ajax/system/sys_read_logfile.php
+++ b/ajax/system/sys_read_logfile.php
@@ -1,8 +1,8 @@
 <?php

-require_once '../../includes/config.php';
+require_once '../../includes/autoload.php';
 require_once '../../includes/session.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
+require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

 $logFile = '/tmp/raspap_install.log';