diff --git a/ajax/adblock/update_blocklist.php b/ajax/adblock/update_blocklist.php index 86f326b4..7ac7d2e5 100644 --- a/ajax/adblock/update_blocklist.php +++ b/ajax/adblock/update_blocklist.php @@ -1,6 +1,5 @@ = 0; --$i) { echo ' ]'; - diff --git a/ajax/bandwidth/get_bandwidth_hourly.php b/ajax/bandwidth/get_bandwidth_hourly.php index 5e2f93f1..bc93cbf1 100644 --- a/ajax/bandwidth/get_bandwidth_hourly.php +++ b/ajax/bandwidth/get_bandwidth_hourly.php @@ -1,6 +1,6 @@ $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG), - array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG), - array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'), - array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'), - ); - - foreach ($configs as $config) { - try { - $tmp = file_get_contents($config["src"]); - file_put_contents($config["tmp"], $tmp); - system("sudo cp ".$config["tmp"]. " ".$config["dest"]); - } catch (Exception $e) { - $return = $e->getCode(); - } - } - $jsonData = ['return'=>$return]; - echo json_encode($jsonData); +$return = 0; +$path = "../../config"; +$configs = array( + array("src" => $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG), + array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG), + array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'), + array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'), +); -} else { - handleInvalidCSRFToken(); +foreach ($configs as $config) { + try { + $tmp = file_get_contents($config["src"]); + file_put_contents($config["tmp"], $tmp); + system("sudo cp ".$config["tmp"]. " ".$config["dest"]); + } catch (Exception $e) { + $return = $e->getCode(); + } } +$jsonData = ['return'=>$return]; +echo json_encode($jsonData); + diff --git a/ajax/networking/get_all_interfaces.php b/ajax/networking/get_all_interfaces.php index b4e18572..f035c24f 100644 --- a/ajax/networking/get_all_interfaces.php +++ b/ajax/networking/get_all_interfaces.php @@ -1,6 +1,7 @@ ensureCSRFSessionToken(); +} else { + die('class failed to load!'); } + + diff --git a/includes/dashboard.php b/includes/dashboard.php index 724a0175..50114aba 100755 --- a/includes/dashboard.php +++ b/includes/dashboard.php @@ -9,8 +9,10 @@ require_once 'includes/functions.php'; */ function DisplayDashboard(&$extraFooterScripts) { - getWifiInterface(); $status = new \RaspAP\Messages\StatusMessage; + //$csrfToken = new \RaspAP\Tokens\CSRFTokenizer; + + getWifiInterface(); // Need this check interface name for proper shell execution. if (!preg_match('/^([a-zA-Z0-9]+)$/', $_SESSION['wifi_client_interface'])) { $status->addMessage(_('Interface name invalid.'), 'danger'); diff --git a/includes/functions.php b/includes/functions.php index 24a42f15..8bfc5bdd 100755 --- a/includes/functions.php +++ b/includes/functions.php @@ -285,79 +285,6 @@ function filter_comments($var) return $var[0] != '#'; } -/** - * Saves a CSRF token in the session - */ -function ensureCSRFSessionToken() -{ - if (empty($_SESSION['csrf_token'])) { - $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); - } -} - -/** - * Add CSRF Token to form - */ -function CSRFTokenFieldTag() -{ - $token = htmlspecialchars($_SESSION['csrf_token']); - return ''; -} - -/** - * Retuns a CSRF meta tag (for use with xhr, for example) - */ -function CSRFMetaTag() -{ - $token = htmlspecialchars($_SESSION['csrf_token']); - return ''; -} - -/** - * Validate CSRF Token - */ -function CSRFValidate() -{ - if(isset($_POST['csrf_token'])) { - $post_token = $_POST['csrf_token']; - $header_token = $_SERVER['HTTP_X_CSRF_TOKEN']; - - if (empty($post_token) && empty($header_token)) { - return false; - } - $request_token = $post_token; - if (empty($post_token)) { - $request_token = $header_token; - } - if (hash_equals($_SESSION['csrf_token'], $request_token)) { - return true; - } else { - error_log('CSRF violation'); - return false; - } - } -} - -/** - * Should the request be CSRF-validated? - */ -function csrfValidateRequest() -{ - $request_method = strtolower($_SERVER['REQUEST_METHOD']); - return in_array($request_method, [ "post", "put", "patch", "delete" ]); -} - -/** - * Handle invalid CSRF - */ -function handleInvalidCSRFToken() -{ - header('HTTP/1.1 500 Internal Server Error'); - header('Content-Type: text/plain'); - echo 'Invalid CSRF token'; - exit; -} - /** * Test whether array is associative */ diff --git a/index.php b/index.php index 83e2916d..bbd86843 100755 --- a/index.php +++ b/index.php @@ -23,11 +23,9 @@ * as you leave these references intact in the header comments of your source files. */ -require 'includes/csrf.php'; -ensureCSRFSessionToken(); - -require_once 'includes/config.php'; require_once 'includes/autoload.php'; +require 'includes/csrf.php'; +require_once 'includes/config.php'; require_once 'includes/defaults.php'; require_once 'includes/locale.php'; require_once 'includes/functions.php'; @@ -53,7 +51,7 @@ initializeApp(); - + CSRFMetaTag(); ?> diff --git a/src/RaspAP/Tokens/CSRFTokenizer.php b/src/RaspAP/Tokens/CSRFTokenizer.php new file mode 100644 index 00000000..211a029c --- /dev/null +++ b/src/RaspAP/Tokens/CSRFTokenizer.php @@ -0,0 +1,113 @@ + + * @author Martin Glaß + * @license https://github.com/raspap/raspap-webgui/blob/master/LICENSE + */ + +declare(strict_types=1); + +namespace RaspAP\Tokens; + +class CSRFTokenizer +{ + + // Constructor + public function __construct() + { + $this->ensureSession(); + if ($this->csrfValidateRequest() && !$this->CSRFValidate()) { + $this->handleInvalidCSRFToken(); + } + } + + /** + * Saves a CSRF token in the session + */ + public function ensureCSRFSessionToken() + { + if (empty($_SESSION['csrf_token'])) { + $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); + } + } + + /** + * Add CSRF Token to form + */ + public function CSRFTokenFieldTag() + { + $token = htmlspecialchars($_SESSION['csrf_token']); + return ''; + } + + /** + * Retuns a CSRF meta tag (for use with xhr, for example) + */ + public function CSRFMetaTag() + { + $token = htmlspecialchars($_SESSION['csrf_token']); + return ''; + } + + /** + * Validates a CSRF Token + */ + public function CSRFValidate() + { + if(isset($_POST['csrf_token'])) { + $post_token = $_POST['csrf_token']; + $header_token = $_SERVER['HTTP_X_CSRF_TOKEN']; + + if (empty($post_token) && empty($header_token)) { + return false; + } + $request_token = $post_token; + if (empty($post_token)) { + $request_token = $header_token; + } + if (hash_equals($_SESSION['csrf_token'], $request_token)) { + return true; + } else { + error_log('CSRF violation'); + return false; + } + } + } + + /** + * Should the request be CSRF-validated? + */ + public function csrfValidateRequest() + { + $request_method = strtolower($_SERVER['REQUEST_METHOD']); + return in_array($request_method, [ "post", "put", "patch", "delete" ]); + } + + /** + * Handle invalid CSRF + */ + public function handleInvalidCSRFToken() + { + if (function_exists('http_response_code')) { + http_response_code(500); + echo 'Invalid CSRF token'; + } else { + header('HTTP/1.1 500 Internal Server Error'); + header('Content-Type: text/plain'); + echo 'Invalid CSRF token'; + } + exit; + } + + protected function ensureSession() + { + if (session_status() == PHP_SESSION_NONE) { + session_start(); + } + } +} + diff --git a/templates/adblock.php b/templates/adblock.php index 6493100b..56f0c1c8 100755 --- a/templates/adblock.php +++ b/templates/adblock.php @@ -28,7 +28,6 @@
showMessages(); ?>
-
- +