From 5c2492e78599760b256f6f3958e5e30ff40bf54f Mon Sep 17 00:00:00 2001 From: Joe Haig Date: Fri, 24 Jun 2016 22:39:39 +0100 Subject: [PATCH 1/2] Add CSRF token to password change page --- includes/admin.php | 39 ++++++++++++++++++++++----------------- includes/functions.php | 20 ++++++++++++++++++++ index.php | 10 ++++++++++ 3 files changed, 52 insertions(+), 17 deletions(-) diff --git a/includes/admin.php b/includes/admin.php index a13f9bbd..513473e4 100755 --- a/includes/admin.php +++ b/includes/admin.php @@ -13,26 +13,30 @@ function Status($message, $level='success', $dismissable=true) { function DisplayAuthConfig($username, $password){ $status = ''; if (isset($_POST['UpdateAdminPassword'])) { - if (password_verify($_POST['oldpass'], $password)) { - $new_username=trim($_POST['username']); - if ($_POST['newpass'] != $_POST['newpassagain']) { - $status = Status('New passwords do not match', 'danger'); - } else if ($new_username == '') { - $status = Status('Username must not be empty', 'danger'); - } else { - if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) { - fwrite($auth_file, $new_username.PHP_EOL); - fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL); - fclose($auth_file); - $username = $new_username; - $status = Status('Admin password updated'); + if (CSRFValidate()) { + if (password_verify($_POST['oldpass'], $password)) { + $new_username=trim($_POST['username']); + if ($_POST['newpass'] != $_POST['newpassagain']) { + $status = Status('New passwords do not match', 'danger'); + } else if ($new_username == '') { + $status = Status('Username must not be empty', 'danger'); } else { - $status = Status('Failed to update admin password', 'danger'); + if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) { + fwrite($auth_file, $new_username.PHP_EOL); + fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL); + fclose($auth_file); + $username = $new_username; + $status = Status('Admin password updated'); + } else { + $status = Status('Failed to update admin password', 'danger'); + } } + } else { + $status = Status('Old password does not match', 'danger'); } - } else { - $status = Status('Old password does not match', 'danger'); - } + } else { + // Log something + } } ?>
@@ -42,6 +46,7 @@ function DisplayAuthConfig($username, $password){

+
diff --git a/includes/functions.php b/includes/functions.php index 0edc4939..72abadcc 100755 --- a/includes/functions.php +++ b/includes/functions.php @@ -1,5 +1,25 @@ + + From d92b01e8f273992826a4bfbbbd5a5ce7665aeec1 Mon Sep 17 00:00:00 2001 From: Joseph Haig Date: Sun, 26 Jun 2016 17:25:59 +0100 Subject: [PATCH 2/2] Fix tabbing --- includes/admin.php | 14 +++++++------- includes/functions.php | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/includes/admin.php b/includes/admin.php index 513473e4..f9a8a4ff 100755 --- a/includes/admin.php +++ b/includes/admin.php @@ -11,10 +11,10 @@ function Status($message, $level='success', $dismissable=true) { } function DisplayAuthConfig($username, $password){ - $status = ''; - if (isset($_POST['UpdateAdminPassword'])) { - if (CSRFValidate()) { - if (password_verify($_POST['oldpass'], $password)) { + $status = ''; + if (isset($_POST['UpdateAdminPassword'])) { + if (CSRFValidate()) { + if (password_verify($_POST['oldpass'], $password)) { $new_username=trim($_POST['username']); if ($_POST['newpass'] != $_POST['newpassagain']) { $status = Status('New passwords do not match', 'danger'); @@ -35,7 +35,7 @@ function DisplayAuthConfig($username, $password){ $status = Status('Old password does not match', 'danger'); } } else { - // Log something + error_log('CSRF violation'); } } ?> @@ -45,8 +45,8 @@ function DisplayAuthConfig($username, $password){
Configure Auth

- - + +
diff --git a/includes/functions.php b/includes/functions.php index 72abadcc..bd32ec65 100755 --- a/includes/functions.php +++ b/includes/functions.php @@ -7,7 +7,7 @@ */ function CSRFToken() { ?> - +