From 0960e8bac9e20619e8a0f92c88b61a116009bd35 Mon Sep 17 00:00:00 2001
From: billz <billzimmerman@gmail.com>
Date: Wed, 26 Mar 2025 04:05:39 -0700
Subject: [PATCH] Add CSRF protection include

---
 ajax/adblock/update_blocklist.php       |  1 +
 ajax/bandwidth/get_bandwidth.php        |  1 +
 ajax/bandwidth/get_bandwidth_hourly.php |  1 +
 ajax/logging/clearlog.php               |  1 +
 ajax/networking/do_sys_reset.php        | 44 ++++++++++---------------
 ajax/networking/get_all_interfaces.php  |  1 +
 ajax/networking/get_channel.php         |  2 ++
 ajax/networking/get_frequencies.php     |  1 +
 ajax/networking/get_ip_summary.php      |  1 +
 ajax/networking/get_netcfg.php          |  1 +
 ajax/networking/get_nl80211_band.php    |  1 +
 ajax/networking/get_wgcfg.php           |  1 +
 ajax/networking/get_wgkey.php           |  1 +
 ajax/networking/wifi_stations.php       |  1 +
 ajax/openvpn/activate_ovpncfg.php       |  1 +
 ajax/openvpn/del_ovpncfg.php            |  1 +
 ajax/plugins/do_plugin_install.php      |  1 +
 ajax/session/do_check_session.php       |  1 +
 ajax/system/sys_actions.php             |  5 ++-
 ajax/system/sys_chk_update.php          | 33 ++++++++-----------
 ajax/system/sys_debug.php               | 31 +++++++----------
 ajax/system/sys_get_logfile.php         |  5 ++-
 ajax/system/sys_perform_update.php      |  5 ++-
 ajax/system/sys_read_logfile.php        |  4 +--
 24 files changed, 70 insertions(+), 75 deletions(-)

diff --git a/ajax/adblock/update_blocklist.php b/ajax/adblock/update_blocklist.php
index f21cb4aa..f21ed4cd 100644
--- a/ajax/adblock/update_blocklist.php
+++ b/ajax/adblock/update_blocklist.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/bandwidth/get_bandwidth.php b/ajax/bandwidth/get_bandwidth.php
index 6e069d79..47cdf698 100644
--- a/ajax/bandwidth/get_bandwidth.php
+++ b/ajax/bandwidth/get_bandwidth.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/bandwidth/get_bandwidth_hourly.php b/ajax/bandwidth/get_bandwidth_hourly.php
index 798cf9de..0b6dcbb9 100644
--- a/ajax/bandwidth/get_bandwidth_hourly.php
+++ b/ajax/bandwidth/get_bandwidth_hourly.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/logging/clearlog.php b/ajax/logging/clearlog.php
index 5b928912..88c74df4 100644
--- a/ajax/logging/clearlog.php
+++ b/ajax/logging/clearlog.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/networking/do_sys_reset.php b/ajax/networking/do_sys_reset.php
index ab885af4..4bd2635c 100644
--- a/ajax/networking/do_sys_reset.php
+++ b/ajax/networking/do_sys_reset.php
@@ -1,37 +1,29 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/config.php';
 require_once '../../includes/session.php';
 require_once '../../includes/authenticate.php';
-require_once '../../includes/session.php';
 require_once '../../includes/functions.php';
 
-if (isset($_POST['csrf_token'])) {
-    if ($token->csrfValidateRequest() && !$token->CSRFValidate()) {
-        $token->handleInvalidCSRFToken();
-    }
-    $return = 0;
-    $path = "../../config";
-    $configs = array(
-        array("src" => $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG),
-        array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG),
-        array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'),
-        array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'),
-    );
+$return = 0;
+$path = "../../config";
+$configs = array(
+    array("src" => $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG),
+    array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG),
+    array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'),
+    array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'),
+);
 
-    foreach ($configs as $config) {
-        try {
-            $tmp = file_get_contents($config["src"]);
-            file_put_contents($config["tmp"], $tmp);
-            system("sudo cp ".$config["tmp"]. " ".$config["dest"]);
-        } catch (Exception $e) {
-            $return = $e->getCode();
-        }
+foreach ($configs as $config) {
+    try {
+        $tmp = file_get_contents($config["src"]);
+        file_put_contents($config["tmp"], $tmp);
+        system("sudo cp ".$config["tmp"]. " ".$config["dest"]);
+    } catch (Exception $e) {
+        $return = $e->getCode();
     }
-    $jsonData = ['return'=>$return];
-    echo json_encode($jsonData);
-
-} else {
-    $token->handleInvalidCSRFToken();
 }
+$jsonData = ['return'=>$return];
+echo json_encode($jsonData);
 
diff --git a/ajax/networking/get_all_interfaces.php b/ajax/networking/get_all_interfaces.php
index 2953b734..0fb33fe1 100644
--- a/ajax/networking/get_all_interfaces.php
+++ b/ajax/networking/get_all_interfaces.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/networking/get_channel.php b/ajax/networking/get_channel.php
index 77683dc7..716456c4 100644
--- a/ajax/networking/get_channel.php
+++ b/ajax/networking/get_channel.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
@@ -16,3 +17,4 @@ foreach ($hostapdconfig as $hostapdconfigline) {
 };
 $channel = intval($arrConfig['channel']);
 echo json_encode($channel);
+
diff --git a/ajax/networking/get_frequencies.php b/ajax/networking/get_frequencies.php
index f1a9dba3..ea33de21 100644
--- a/ajax/networking/get_frequencies.php
+++ b/ajax/networking/get_frequencies.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/networking/get_ip_summary.php b/ajax/networking/get_ip_summary.php
index 3dac9735..1dcfb12e 100644
--- a/ajax/networking/get_ip_summary.php
+++ b/ajax/networking/get_ip_summary.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/functions.php';
 require_once '../../includes/config.php';
diff --git a/ajax/networking/get_netcfg.php b/ajax/networking/get_netcfg.php
index 104f6d09..87411ba7 100644
--- a/ajax/networking/get_netcfg.php
+++ b/ajax/networking/get_netcfg.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/networking/get_nl80211_band.php b/ajax/networking/get_nl80211_band.php
index 26ed2048..ce093194 100644
--- a/ajax/networking/get_nl80211_band.php
+++ b/ajax/networking/get_nl80211_band.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/networking/get_wgcfg.php b/ajax/networking/get_wgcfg.php
index af64bec4..ee208523 100644
--- a/ajax/networking/get_wgcfg.php
+++ b/ajax/networking/get_wgcfg.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/networking/get_wgkey.php b/ajax/networking/get_wgkey.php
index 4c4e76aa..52e3d2de 100644
--- a/ajax/networking/get_wgkey.php
+++ b/ajax/networking/get_wgkey.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/networking/wifi_stations.php b/ajax/networking/wifi_stations.php
index 428a348f..b6298046 100644
--- a/ajax/networking/wifi_stations.php
+++ b/ajax/networking/wifi_stations.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/openvpn/activate_ovpncfg.php b/ajax/openvpn/activate_ovpncfg.php
index 8aef26d8..32df5e9a 100644
--- a/ajax/openvpn/activate_ovpncfg.php
+++ b/ajax/openvpn/activate_ovpncfg.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/openvpn/del_ovpncfg.php b/ajax/openvpn/del_ovpncfg.php
index 4046149d..ce9fa844 100644
--- a/ajax/openvpn/del_ovpncfg.php
+++ b/ajax/openvpn/del_ovpncfg.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/plugins/do_plugin_install.php b/ajax/plugins/do_plugin_install.php
index 7055ee9d..3c937ae8 100755
--- a/ajax/plugins/do_plugin_install.php
+++ b/ajax/plugins/do_plugin_install.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/session/do_check_session.php b/ajax/session/do_check_session.php
index ea87b754..7e574310 100755
--- a/ajax/session/do_check_session.php
+++ b/ajax/session/do_check_session.php
@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
diff --git a/ajax/system/sys_actions.php b/ajax/system/sys_actions.php
index dce18402..de9411f9 100644
--- a/ajax/system/sys_actions.php
+++ b/ajax/system/sys_actions.php
@@ -1,9 +1,8 @@
 <?php
-
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
 require_once '../../includes/authenticate.php';
 
 $action = escapeshellcmd($_POST['a']);
diff --git a/ajax/system/sys_chk_update.php b/ajax/system/sys_chk_update.php
index 8fdd5a0c..c16dd453 100644
--- a/ajax/system/sys_chk_update.php
+++ b/ajax/system/sys_chk_update.php
@@ -1,27 +1,22 @@
 <?php
-
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
+require_once '../../includes/authenticate.php';
 require_once '../../includes/defaults.php';
+require_once '../../includes/functions.php';
 
-if (isset($_POST['csrf_token'])) {
-    if (csrfValidateRequest() && !CSRFValidate()) {
-        handleInvalidCSRFToken();
-    }
-    $uri = RASPI_API_ENDPOINT;
-    preg_match('/(\d+(\.\d+)+)/', RASPI_VERSION, $matches);
-    $thisRelease = $matches[0];
+$uri = RASPI_API_ENDPOINT;
+preg_match('/(\d+(\.\d+)+)/', RASPI_VERSION, $matches);
+$thisRelease = $matches[0];
 
-    $json = shell_exec("wget --timeout=5 --tries=1 $uri -qO -");
-    $data = json_decode($json, true);
-    $tagName = $data['tag_name'];
-    $updateAvailable = checkReleaseVersion($thisRelease, $tagName);
+$json = shell_exec("wget --timeout=5 --tries=1 $uri -qO -");
+$data = json_decode($json, true);
+$tagName = $data['tag_name'];
+$updateAvailable = checkReleaseVersion($thisRelease, $tagName);
 
-    $response['tag'] = $tagName;
-    $response['update'] = $updateAvailable;
-    echo json_encode($response);
+$response['tag'] = $tagName;
+$response['update'] = $updateAvailable;
+echo json_encode($response);
 
-} else {
-    handleInvalidCSRFToken();
-}
diff --git a/ajax/system/sys_debug.php b/ajax/system/sys_debug.php
index cc3a608b..a6240a6a 100644
--- a/ajax/system/sys_debug.php
+++ b/ajax/system/sys_debug.php
@@ -1,25 +1,18 @@
 <?php
-
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
 require_once '../../includes/authenticate.php';
 
-if (isset($_POST['csrf_token'])) {
-    if (csrfValidateRequest() && !CSRFValidate()) {
-        handleInvalidCSRFToken();
-    }
-    $root = getenv("DOCUMENT_ROOT");
-    exec('sudo '.RASPI_CONFIG.'/system/debuglog.sh -i '.$root, $return);
+$root = getenv("DOCUMENT_ROOT");
+exec('sudo '.RASPI_CONFIG.'/system/debuglog.sh -i '.$root, $return);
+
+$logOutput = implode(PHP_EOL, $return);
+$tempDir = sys_get_temp_dir();
+$filePath = $tempDir . DIRECTORY_SEPARATOR . RASPI_DEBUG_LOG;
+$handle = fopen($filePath, "w");
+fwrite($handle, $logOutput);
+fclose($handle);
+echo json_encode($filePath);
 
-    $logOutput = implode(PHP_EOL, $return);
-    $tempDir = sys_get_temp_dir();
-    $filePath = $tempDir . DIRECTORY_SEPARATOR . RASPI_DEBUG_LOG;
-    $handle = fopen($filePath, "w");
-    fwrite($handle, $logOutput);
-    fclose($handle);
-    echo json_encode($filePath);
-} else {
-    handleInvalidCSRFToken();
-}
diff --git a/ajax/system/sys_get_logfile.php b/ajax/system/sys_get_logfile.php
index 0dc9f3b5..26f5b6f6 100644
--- a/ajax/system/sys_get_logfile.php
+++ b/ajax/system/sys_get_logfile.php
@@ -1,9 +1,8 @@
 <?php
-
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
 require_once '../../includes/authenticate.php';
 
 $tempDir = sys_get_temp_dir();
diff --git a/ajax/system/sys_perform_update.php b/ajax/system/sys_perform_update.php
index 06948f97..662d3d91 100644
--- a/ajax/system/sys_perform_update.php
+++ b/ajax/system/sys_perform_update.php
@@ -1,9 +1,8 @@
 <?php
-
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
 require_once '../../includes/authenticate.php';
 
 if (isset($_POST['csrf_token'])) {
diff --git a/ajax/system/sys_read_logfile.php b/ajax/system/sys_read_logfile.php
index defdd79a..2ac51b8c 100644
--- a/ajax/system/sys_read_logfile.php
+++ b/ajax/system/sys_read_logfile.php
@@ -1,8 +1,8 @@
 <?php
 
-require_once '../../includes/config.php';
+require_once '../../includes/autoload.php';
 require_once '../../includes/session.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
+require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
 
 $logFile = '/tmp/raspap_install.log';