frodovdr/raspap-webgui
1
0
Fork 0
mirror of https://github.com/billz/raspap-webgui.git synced 2025-12-26 23:26:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1859 from RaspAP/fix/ajax-installer-csrf

Browse Source 
Fix: Ajax update use of legacy CSRF token handler
This commit is contained in:
Bill Zimmerman
2025-05-15 07:46:42 +02:00
committed by GitHub
parent 992f999a7b e55d24db66
commit 231b4c3326
2 changed files with 15 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
ajax/system/sys_perform_update.php
View File

@@ -5,19 +5,12 @@ require_once '../../includes/session.php';
require_once '../../includes/config.php';
require_once '../../includes/authenticate.php';
if (isset($_POST['csrf_token'])) {
if (csrfValidateRequest() && !CSRFValidate()) {
handleInvalidCSRFToken();
}
// set installer path + options
$path = getenv("DOCUMENT_ROOT");
$opts = " --update --yes --check 0 --path $path";
$installer = "sudo /etc/raspap/system/raspbian.sh";
$execUpdate = $installer.$opts;
// set installer path + options
$path = getenv("DOCUMENT_ROOT");
$opts = " --update --yes --check 0 --path $path";
$installer = "sudo /etc/raspap/system/raspbian.sh";
$execUpdate = $installer.$opts;
$response = shell_exec($execUpdate);
echo json_encode($response);
$response = shell_exec($execUpdate);
echo json_encode($response);
} else {
handleInvalidCSRFToken();
}

12
includes/CSRF.php
View File

@@ -26,9 +26,11 @@ class CSRF
public static function verify(): bool
{
$token = $_POST['csrf_token'];
if (!isset($_POST['csrf_token'])) {
return false;
}
return self::instance()->csrfValidateRequest() &&
self::instance()->CSRFValidate($_POST['csrf_token'] ?? '');
self::instance()->CSRFValidate($_POST['csrf_token']);
}
public static function metaTag(): string
@@ -53,13 +55,15 @@ class CSRF
*/
public static function validateRequest(): bool
{
return self::instance()->csrfValidateRequest();
$methods = ['POST', 'PUT', 'DELETE', 'PATCH'];
return in_array($_SERVER['REQUEST_METHOD'], $methods) &&
self::instance()->csrfValidateRequest();
}
}
if (\RaspAP\Tokens\CSRF::validateRequest()) {
if (!\RaspAP\Tokens\CSRF::verify()) {
error_log("CSRF verification failed. Token: " . ($_POST['csrf_token'] ?? 'not provided'));
error_log("CSRF verification failed: Token missing or invalid");
\RaspAP\Tokens\CSRF::handleInvalidToken();
}
}