Add CSRF protection include

ajax/adblock/update_blocklist.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/bandwidth/get_bandwidth.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/bandwidth/get_bandwidth_hourly.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/logging/clearlog.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/networking/do_sys_reset.php

@@ -1,37 +1,29 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/config.php';
 require_once '../../includes/session.php';
 require_once '../../includes/authenticate.php';
-require_once '../../includes/session.php';
 require_once '../../includes/functions.php';
 
-if (isset($_POST['csrf_token'])) {
+$return = 0;
-    if ($token->csrfValidateRequest() && !$token->CSRFValidate()) {
+$path = "../../config";
-        $token->handleInvalidCSRFToken();
+$configs = array(
-    }
+    array("src" => $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG),
-    $return = 0;
+    array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG),
-    $path = "../../config";
+    array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'),
-    $configs = array(
+    array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'),
-        array("src" => $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG),
+);
-        array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG),
-        array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'),
-        array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'),
-    );
 
-    foreach ($configs as $config) {
+foreach ($configs as $config) {
-        try {
+    try {
-            $tmp = file_get_contents($config["src"]);
+        $tmp = file_get_contents($config["src"]);
-            file_put_contents($config["tmp"], $tmp);
+        file_put_contents($config["tmp"], $tmp);
-            system("sudo cp ".$config["tmp"]. " ".$config["dest"]);
+        system("sudo cp ".$config["tmp"]. " ".$config["dest"]);
-        } catch (Exception $e) {
+    } catch (Exception $e) {
-            $return = $e->getCode();
+        $return = $e->getCode();
-        }
     }
-    $jsonData = ['return'=>$return];
-    echo json_encode($jsonData);
-
-} else {
-    $token->handleInvalidCSRFToken();
 }
+$jsonData = ['return'=>$return];
+echo json_encode($jsonData);
 

ajax/networking/get_all_interfaces.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/networking/get_channel.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
@@ -16,3 +17,4 @@ foreach ($hostapdconfig as $hostapdconfigline) {
 };
 $channel = intval($arrConfig['channel']);
 echo json_encode($channel);
+

ajax/networking/get_frequencies.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/networking/get_ip_summary.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/functions.php';
 require_once '../../includes/config.php';

ajax/networking/get_netcfg.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/networking/get_nl80211_band.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/networking/get_wgcfg.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/networking/get_wgkey.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/networking/wifi_stations.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/openvpn/activate_ovpncfg.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/openvpn/del_ovpncfg.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/plugins/do_plugin_install.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/session/do_check_session.php

@@ -1,5 +1,6 @@
 <?php
 require_once '../../includes/autoload.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';

ajax/system/sys_actions.php

@@ -1,9 +1,8 @@
 <?php
-
+require_once '../../includes/autoload.php';
-require '../../includes/csrf.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
 require_once '../../includes/authenticate.php';
 
 $action = escapeshellcmd($_POST['a']);

ajax/system/sys_chk_update.php

@@ -1,27 +1,22 @@
 <?php
-
+require_once '../../includes/autoload.php';
-require '../../includes/csrf.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
+require_once '../../includes/authenticate.php';
 require_once '../../includes/defaults.php';
+require_once '../../includes/functions.php';
 
-if (isset($_POST['csrf_token'])) {
+$uri = RASPI_API_ENDPOINT;
-    if (csrfValidateRequest() && !CSRFValidate()) {
+preg_match('/(\d+(\.\d+)+)/', RASPI_VERSION, $matches);
-        handleInvalidCSRFToken();
+$thisRelease = $matches[0];
-    }
-    $uri = RASPI_API_ENDPOINT;
-    preg_match('/(\d+(\.\d+)+)/', RASPI_VERSION, $matches);
-    $thisRelease = $matches[0];
 
-    $json = shell_exec("wget --timeout=5 --tries=1 $uri -qO -");
+$json = shell_exec("wget --timeout=5 --tries=1 $uri -qO -");
-    $data = json_decode($json, true);
+$data = json_decode($json, true);
-    $tagName = $data['tag_name'];
+$tagName = $data['tag_name'];
-    $updateAvailable = checkReleaseVersion($thisRelease, $tagName);
+$updateAvailable = checkReleaseVersion($thisRelease, $tagName);
 
-    $response['tag'] = $tagName;
+$response['tag'] = $tagName;
-    $response['update'] = $updateAvailable;
+$response['update'] = $updateAvailable;
-    echo json_encode($response);
+echo json_encode($response);
 
-} else {
-    handleInvalidCSRFToken();
-}

ajax/system/sys_debug.php

@@ -1,25 +1,18 @@
 <?php
-
+require_once '../../includes/autoload.php';
-require '../../includes/csrf.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
 require_once '../../includes/authenticate.php';
 
-if (isset($_POST['csrf_token'])) {
+$root = getenv("DOCUMENT_ROOT");
-    if (csrfValidateRequest() && !CSRFValidate()) {
+exec('sudo '.RASPI_CONFIG.'/system/debuglog.sh -i '.$root, $return);
-        handleInvalidCSRFToken();
+
-    }
+$logOutput = implode(PHP_EOL, $return);
-    $root = getenv("DOCUMENT_ROOT");
+$tempDir = sys_get_temp_dir();
-    exec('sudo '.RASPI_CONFIG.'/system/debuglog.sh -i '.$root, $return);
+$filePath = $tempDir . DIRECTORY_SEPARATOR . RASPI_DEBUG_LOG;
+$handle = fopen($filePath, "w");
+fwrite($handle, $logOutput);
+fclose($handle);
+echo json_encode($filePath);
 
-    $logOutput = implode(PHP_EOL, $return);
-    $tempDir = sys_get_temp_dir();
-    $filePath = $tempDir . DIRECTORY_SEPARATOR . RASPI_DEBUG_LOG;
-    $handle = fopen($filePath, "w");
-    fwrite($handle, $logOutput);
-    fclose($handle);
-    echo json_encode($filePath);
-} else {
-    handleInvalidCSRFToken();
-}

ajax/system/sys_get_logfile.php

@@ -1,9 +1,8 @@
 <?php
-
+require_once '../../includes/autoload.php';
-require '../../includes/csrf.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
 require_once '../../includes/authenticate.php';
 
 $tempDir = sys_get_temp_dir();

ajax/system/sys_perform_update.php

@@ -1,9 +1,8 @@
 <?php
-
+require_once '../../includes/autoload.php';
-require '../../includes/csrf.php';
+require_once '../../includes/CSRF.php';
 require_once '../../includes/session.php';
 require_once '../../includes/config.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
 require_once '../../includes/authenticate.php';
 
 if (isset($_POST['csrf_token'])) {

ajax/system/sys_read_logfile.php

@@ -1,8 +1,8 @@
 <?php
 
-require_once '../../includes/config.php';
+require_once '../../includes/autoload.php';
 require_once '../../includes/session.php';
-require_once '../../src/RaspAP/Auth/HTTPAuth.php';
+require_once '../../includes/config.php';
 require_once '../../includes/authenticate.php';
 
 $logFile = '/tmp/raspap_install.log';