From de376d04d124b6b9898704a3037140982cfac3ea Mon Sep 17 00:00:00 2001 From: billz Date: Sun, 23 Mar 2025 23:13:29 -0700 Subject: [PATCH 01/24] Initial commit --- src/RaspAP/Tokens/CSRFTokenizer.php | 114 ++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 src/RaspAP/Tokens/CSRFTokenizer.php diff --git a/src/RaspAP/Tokens/CSRFTokenizer.php b/src/RaspAP/Tokens/CSRFTokenizer.php new file mode 100644 index 00000000..b86e2f6a --- /dev/null +++ b/src/RaspAP/Tokens/CSRFTokenizer.php @@ -0,0 +1,114 @@ + + * @author Martin Glaß + * @license https://github.com/raspap/raspap-webgui/blob/master/LICENSE + */ + +declare(strict_types=1); + +namespace RaspAP\Tokens; + +class CSRFTokenizer +{ + + // Constructor + public function __construct() + { + $this->ensureSession(); + if ($this->csrfValidateRequest() && !$this->CSRFValidate()) { + $this->handleInvalidCSRFToken(); + } + } + + /** + * Saves a CSRF token in the session + */ + public function ensureCSRFSessionToken(): void + { + if (empty($_SESSION['csrf_token'])) { + $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); + } + } + + /** + * Add CSRF Token to form + */ + public function CSRFTokenFieldTag(): string + { + $token = htmlspecialchars($_SESSION['csrf_token']); + return ''; + } + + /** + * Returns a CSRF meta tag (for use with xhr, for example) + */ + public function CSRFMetaTag(): string + { + $token = htmlspecialchars($_SESSION['csrf_token']); + return ''; + } + + /** + * Validates a CSRF Token + * + * @param string $token + */ + public function CSRFValidate(string $token): bool + { + if(isset($token) { + $header_token = $_SERVER['HTTP_X_CSRF_TOKEN']; + + if (empty($token) && empty($header_token)) { + return false; + } + $request_token = $token; + if (empty($token)) { + $request_token = $header_token; + } + if (hash_equals($_SESSION['csrf_token'], $request_token)) { + return true; + } else { + error_log('CSRF violation'); + return false; + } + } + } + + /** + * Should the request be CSRF-validated? + */ + public function csrfValidateRequest(): string + { + $request_method = strtolower($_SERVER['REQUEST_METHOD']); + return in_array($request_method, [ "post", "put", "patch", "delete" ]); + } + + /** + * Handle invalid CSRF + */ + public function handleInvalidCSRFToken(): string + { + if (function_exists('http_response_code')) { + http_response_code(500); + echo 'Invalid CSRF token'; + } else { + header('HTTP/1.1 500 Internal Server Error'); + header('Content-Type: text/plain'); + echo 'Invalid CSRF token'; + } + exit; + } + + protected function ensureSession() + { + if (session_status() == PHP_SESSION_NONE) { + session_start(); + } + } +} + From c8b0408bd55dbce0681209a6eb1fbf1330ab0661 Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 05:14:29 -0700 Subject: [PATCH 02/24] Refactor + fixup autoloader --- includes/autoload.php | 28 +++++----------------------- 1 file changed, 5 insertions(+), 23 deletions(-) diff --git a/includes/autoload.php b/includes/autoload.php index d39bd0c9..87177471 100755 --- a/includes/autoload.php +++ b/includes/autoload.php @@ -9,31 +9,13 @@ */ spl_autoload_register(function ($class) { - // project-specific namespace prefix - $prefix = ''; + // base directory where all class files are stored + $base_dir = __DIR__ . '/../src/'; - // base directory for the namespace prefix - $base_dir = 'src/'; + // convert the fully qualified class name into a file path + $file = $base_dir . str_replace('\\', '/', $class) . '.php'; - // normalize the base directory with a trailing separator - $base_dir = rtrim($base_dir, DIRECTORY_SEPARATOR) . '/'; - - // does the class use the namespace prefix? - $len = strlen($prefix); - if (strncmp($prefix, $class, $len) !== 0) { - // no, move to the next registered autoloader - return; - } - - // get the relative class name - $relative_class = substr($class, $len); - - // replace the namespace prefix with the base directory, replace namespace - // separators with directory separators in the relative class name, append - // with .php - $file = $base_dir . str_replace('\\', '/', $relative_class) . '.php'; - - // if the file exists, require it + // require the file if it exists if (file_exists($file)) { require $file; } From 2a70f6ee1189be3e22eae594eb185d69d191c50f Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 05:15:34 -0700 Subject: [PATCH 03/24] Replace csrf and explicit HTTPAuth includes with autoload.php --- ajax/adblock/update_blocklist.php | 4 +--- ajax/bandwidth/get_bandwidth.php | 4 +--- ajax/bandwidth/get_bandwidth_hourly.php | 4 +--- ajax/logging/clearlog.php | 4 +--- ajax/networking/do_sys_reset.php | 10 +++++----- ajax/networking/get_all_interfaces.php | 4 +--- ajax/networking/get_channel.php | 4 +--- ajax/networking/get_frequencies.php | 5 +---- ajax/networking/get_ip_summary.php | 4 +--- ajax/networking/get_netcfg.php | 5 ++--- ajax/networking/get_nl80211_band.php | 4 +--- ajax/networking/get_wgcfg.php | 4 +--- ajax/networking/get_wgkey.php | 4 +--- ajax/networking/wifi_stations.php | 4 +--- ajax/openvpn/activate_ovpncfg.php | 4 +--- ajax/openvpn/del_ovpncfg.php | 4 +--- ajax/plugins/do_plugin_install.php | 5 +---- ajax/session/do_check_session.php | 4 +--- 18 files changed, 23 insertions(+), 58 deletions(-) diff --git a/ajax/adblock/update_blocklist.php b/ajax/adblock/update_blocklist.php index 46f7798e..f21cb4aa 100644 --- a/ajax/adblock/update_blocklist.php +++ b/ajax/adblock/update_blocklist.php @@ -1,9 +1,7 @@ csrfValidateRequest() && !$token->CSRFValidate()) { + $token->handleInvalidCSRFToken(); } $return = 0; $path = "../../config"; @@ -33,5 +32,6 @@ if (isset($_POST['csrf_token'])) { echo json_encode($jsonData); } else { - handleInvalidCSRFToken(); + $token->handleInvalidCSRFToken(); } + diff --git a/ajax/networking/get_all_interfaces.php b/ajax/networking/get_all_interfaces.php index b88e987b..2953b734 100644 --- a/ajax/networking/get_all_interfaces.php +++ b/ajax/networking/get_all_interfaces.php @@ -1,9 +1,7 @@ Date: Tue, 25 Mar 2025 05:17:58 -0700 Subject: [PATCH 04/24] Remove CSRF related functions (made obsolete by Token class) --- includes/functions.php | 76 ------------------------------------------ 1 file changed, 76 deletions(-) diff --git a/includes/functions.php b/includes/functions.php index 54b4939c..6ef53ea4 100755 --- a/includes/functions.php +++ b/includes/functions.php @@ -306,82 +306,6 @@ function filter_comments($var) return $var[0] != '#'; } -/** - * Saves a CSRF token in the session - */ -function ensureCSRFSessionToken() -{ - if (empty($_SESSION['csrf_token'])) { - $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); - } -} - -/** - * Add CSRF Token to form - */ -function CSRFTokenFieldTag() -{ - $token = htmlspecialchars($_SESSION['csrf_token']); - return ''; -} - -/** - * Retuns a CSRF meta tag (for use with xhr, for example) - */ -function CSRFMetaTag() -{ - $token = htmlspecialchars($_SESSION['csrf_token']); - return ''; -} - -/** - * Validate CSRF Token - */ -function CSRFValidate() -{ - if (empty($_SESSION['csrf_token']) || !is_string($_SESSION['csrf_token'])) { - error_log('Session expired or CSRF token is missing.'); - header('Location: /login'); - exit; - } - - $post_token = $_POST['csrf_token'] ?? null; - $header_token = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null; - - if (empty($post_token) && is_null($header_token)) { - error_log('CSRF token missing in the request'); - return false; - } - $request_token = $post_token ?: $header_token; - - if (hash_equals($_SESSION['csrf_token'], $request_token)) { - return true; - } else { - error_log('CSRF token mismatch'); - return false; - } -} - -/** - * Should the request be CSRF-validated? - */ -function csrfValidateRequest() -{ - $request_method = strtolower($_SERVER['REQUEST_METHOD']); - return in_array($request_method, [ "post", "put", "patch", "delete" ]); -} - -/** - * Handle invalid CSRF - */ -function handleInvalidCSRFToken() -{ - header('HTTP/1.1 500 Internal Server Error'); - header('Content-Type: text/plain'); - echo 'Invalid CSRF token'; - exit; -} - /** * Test whether array is associative */ From a5907d8f7f2acac17875794b6d57915748a75794 Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 05:21:35 -0700 Subject: [PATCH 05/24] Class loading handled by autoloader, objects instantiated by index.php --- includes/csrf.php | 7 ------- includes/exceptions.php | 6 ------ 2 files changed, 13 deletions(-) delete mode 100755 includes/csrf.php delete mode 100755 includes/exceptions.php diff --git a/includes/csrf.php b/includes/csrf.php deleted file mode 100755 index 4e098e5b..00000000 --- a/includes/csrf.php +++ /dev/null @@ -1,7 +0,0 @@ - - From b3c61782749559ae710b2bcc608ecf6f000650f5 Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 05:22:29 -0700 Subject: [PATCH 06/24] Accept $token object, pass to renderTemplate() --- includes/about.php | 5 +++-- includes/adblock.php | 6 ++--- includes/admin.php | 5 +++-- includes/configure_client.php | 11 ++++++++-- includes/dashboard.php | 9 ++++---- includes/dhcp.php | 5 +++-- includes/hostapd.php | 5 +++-- includes/login.php | 5 +++-- includes/openvpn.php | 5 +++-- includes/page_actions.php | 41 ++++++++++++++++++----------------- includes/restapi.php | 19 +++++++++------- includes/system.php | 5 +++-- includes/wireguard.php | 5 +++-- 13 files changed, 72 insertions(+), 54 deletions(-) diff --git a/includes/about.php b/includes/about.php index 45008f2d..12bf1897 100755 --- a/includes/about.php +++ b/includes/about.php @@ -5,7 +5,7 @@ require_once "app/lib/Parsedown.php"; /** * Displays info about the RaspAP project */ -function DisplayAbout() +function DisplayAbout($token) { $Parsedown = new Parsedown(); $strContent = file_get_contents($_SERVER['DOCUMENT_ROOT'].'/BACKERS.md'); @@ -17,7 +17,8 @@ function DisplayAbout() echo renderTemplate( "about", compact( 'sponsorsHtml', - 'contributingHtml' + 'contributingHtml', + 'token' ) ); } diff --git a/includes/adblock.php b/includes/adblock.php index ec6fb38d..75a751f0 100755 --- a/includes/adblock.php +++ b/includes/adblock.php @@ -6,7 +6,7 @@ require_once 'config.php'; * Manages ad blocking (dnsmasq) configuration * */ -function DisplayAdBlockConfig() +function DisplayAdBlockConfig($token) { $status = new \RaspAP\Messages\StatusMessage; $enabled = false; @@ -93,7 +93,6 @@ function DisplayAdBlockConfig() $adblock_log = "Unable to open log file"; } $logdata = getLogLimited(RASPI_DHCPCD_LOG, $adblock_log); - echo renderTemplate( "adblock", compact( "status", @@ -102,7 +101,8 @@ function DisplayAdBlockConfig() "enabled", "custom_enabled", "adblock_custom_content", - "logdata" + "logdata", + "token" ) ); } diff --git a/includes/admin.php b/includes/admin.php index 61dd21ed..c169a6f4 100755 --- a/includes/admin.php +++ b/includes/admin.php @@ -1,6 +1,6 @@ getVpnManged($vpn); - } + $vpnManaged = $vpn ? $dashboard->getVpnManaged($vpn) : null; $firewallManaged = $firewallStatus = ""; $firewallInstalled = array_filter($plugins, fn($p) => str_ends_with($p, 'Firewall')) ? true : false; if (!$firewallInstalled) { @@ -122,7 +120,8 @@ function DisplayDashboard(&$extraFooterScripts): void "wirelessActive", "tetheringActive", "cellularActive", - "status" + "status", + "token" ) ); $extraFooterScripts[] = array('src'=>'app/js/dashboardchart.js', 'defer'=>false); diff --git a/includes/dhcp.php b/includes/dhcp.php index fd6a47ac..2986c602 100755 --- a/includes/dhcp.php +++ b/includes/dhcp.php @@ -5,7 +5,7 @@ require_once 'config.php'; /** * Manage DHCP configuration */ -function DisplayDHCPConfig() +function DisplayDHCPConfig($token) { $status = new \RaspAP\Messages\StatusMessage; if (!RASPI_MONITOR_ENABLED) { @@ -74,7 +74,8 @@ function DisplayDHCPConfig() "upstreamServers", "interfaces", "leases", - "logdata" + "logdata", + "token" ) ); } diff --git a/includes/hostapd.php b/includes/hostapd.php index 99b24fe3..6483c425 100755 --- a/includes/hostapd.php +++ b/includes/hostapd.php @@ -9,7 +9,7 @@ getWifiInterface(); * Initialize hostapd values, display interface * */ -function DisplayHostAPDConfig() +function DisplayHostAPDConfig($token) { $status = new \RaspAP\Messages\StatusMessage; $system = new \RaspAP\System\Sysinfo; @@ -165,7 +165,8 @@ function DisplayHostAPDConfig() "operatingSystem", "selectedHwMode", "countryCodes", - "logdata" + "logdata", + "token" ) ); } diff --git a/includes/login.php b/includes/login.php index e3084a27..742ff6c1 100755 --- a/includes/login.php +++ b/includes/login.php @@ -6,7 +6,7 @@ require_once 'includes/functions.php'; /** * Handler for administrative user login */ -function DisplayLogin() +function DisplayLogin($token) { // initialize auth object $auth = new \RaspAP\Auth\HTTPAuth; @@ -33,7 +33,8 @@ function DisplayLogin() echo renderTemplate( "login", compact( "status", - "redirectUrl" + "redirectUrl", + "token" ) ); } diff --git a/includes/openvpn.php b/includes/openvpn.php index 2b59666b..9c2c4418 100755 --- a/includes/openvpn.php +++ b/includes/openvpn.php @@ -8,7 +8,7 @@ getWifiInterface(); /** * Manage OpenVPN configuration */ -function DisplayOpenVPNConfig() +function DisplayOpenVPNConfig($token) { $status = new \RaspAP\Messages\StatusMessage; if (!RASPI_MONITOR_ENABLED) { @@ -79,7 +79,8 @@ function DisplayOpenVPNConfig() "authUser", "authPassword", "clients", - "conf_default" + "conf_default", + "token" ) ); } diff --git a/includes/page_actions.php b/includes/page_actions.php index c9649792..28606e07 100755 --- a/includes/page_actions.php +++ b/includes/page_actions.php @@ -9,7 +9,7 @@ $page = $_SERVER['PATH_INFO']; // Check if any plugin wants to handle the request if (!$pluginManager->handlePageAction($page)) { // If no plugin is available fall back to core page action handlers - handleCorePageAction($page, $extraFooterScripts); + handleCorePageAction($page, $extraFooterScripts, $token); } /** @@ -17,64 +17,65 @@ if (!$pluginManager->handlePageAction($page)) { * * @param string $page * @param array $extraFooterScripts + * @param object $token * @return void */ -function handleCorePageAction(string $page, array &$extraFooterScripts): void +function handleCorePageAction(string $page, array &$extraFooterScripts, object $token): void { switch ($page) { case "/wlan0_info": - DisplayDashboard($extraFooterScripts); + DisplayDashboard($extraFooterScripts, $token); break; case "/dhcpd_conf": - DisplayDHCPConfig(); + DisplayDHCPConfig($token); break; case "/wpa_conf": - DisplayWPAConfig(); + DisplayWPAConfig($token); break; case "/network_conf": - DisplayNetworkingConfig(); + DisplayNetworkingConfig($token); break; case "/hostapd_conf": - DisplayHostAPDConfig(); + DisplayHostAPDConfig($token); break; case "/adblock_conf": - DisplayAdBlockConfig(); + DisplayAdBlockConfig($token); break; case "/openvpn_conf": - DisplayOpenVPNConfig(); + DisplayOpenVPNConfig($token); break; case "/wg_conf": - DisplayWireGuardConfig(); + DisplayWireGuardConfig($token); break; case "/provider_conf": - DisplayProviderConfig(); + DisplayProviderConfig($token); break; case "/torproxy_conf": - DisplayTorProxyConfig(); + DisplayTorProxyConfig($token); break; case "/auth_conf": - DisplayAuthConfig($_SESSION['user_id']); + DisplayAuthConfig($_SESSION['user_id'], $token); break; case "/save_hostapd_conf": - SaveTORAndVPNConfig(); + SaveTORAndVPNConfig($token); break; case "/data_use": - DisplayDataUsage($extraFooterScripts); + DisplayDataUsage($extraFooterScripts, $token); break; case "/system_info": - DisplaySystem($extraFooterScripts); + DisplaySystem($extraFooterScripts, $token); break; case "/restapi_conf": - DisplayRestAPI(); + DisplayRestAPI($token); break; case "/about": - DisplayAbout(); + DisplayAbout($token); break; case "/login": - DisplayLogin(); + DisplayLogin($token); break; default: - DisplayDashboard($extraFooterScripts); + DisplayDashboard($extraFooterScripts, $token); } } diff --git a/includes/restapi.php b/includes/restapi.php index 4c11cfce..621e390f 100755 --- a/includes/restapi.php +++ b/includes/restapi.php @@ -6,7 +6,7 @@ require_once 'config.php'; /** * Handler for RestAPI settings */ -function DisplayRestAPI() +function DisplayRestAPI($token) { // initialize status object $status = new \RaspAP\Messages\StatusMessage; @@ -59,13 +59,16 @@ function DisplayRestAPI() $docMsg = sprintf(_("RestAPI docs are accessible here %s"),$docUrl, $faicon); } - echo renderTemplate("restapi", compact( - "status", - "apiKey", - "serviceStatus", - "serviceLog", - "docMsg" - )); + echo renderTemplate( + "restapi", compact( + "status", + "apiKey", + "serviceStatus", + "serviceLog", + "docMsg", + "token" + ) + ); } /** diff --git a/includes/system.php b/includes/system.php index d37a5450..addaeea2 100755 --- a/includes/system.php +++ b/includes/system.php @@ -6,7 +6,7 @@ require_once 'config.php'; /** * */ -function DisplaySystem(&$extraFooterScripts) +function DisplaySystem(&$extraFooterScripts, $token) { $status = new \RaspAP\Messages\StatusMessage; $dashboard = new \RaspAP\UI\Dashboard; @@ -146,7 +146,8 @@ function DisplaySystem(&$extraFooterScripts) "themes", "selectedTheme", "logLimit", - "pluginsTable" + "pluginsTable", + "token" )); } diff --git a/includes/wireguard.php b/includes/wireguard.php index f6beb3dd..5a04801a 100755 --- a/includes/wireguard.php +++ b/includes/wireguard.php @@ -5,7 +5,7 @@ require_once 'config.php'; /** * Displays wireguard server & peer configuration */ -function DisplayWireGuardConfig() +function DisplayWireGuardConfig($token) { $status = new \RaspAP\Messages\StatusMessage; $parseFlag = true; @@ -98,7 +98,8 @@ function DisplayWireGuardConfig() "wg_pendpoint", "wg_pallowedips", "wg_pkeepalive", - "wg_log" + "wg_log", + "token" ) ); } From bbf1caf77789a1728abcf7e6d065f858985f6e79 Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 05:23:06 -0700 Subject: [PATCH 07/24] Update with $token->CSRFTokenFieldTag() --- templates/adblock.php | 2 +- templates/admin.php | 2 +- templates/configure_client.php | 2 +- templates/dashboard.php | 2 +- templates/dhcp.php | 2 +- templates/hostapd.php | 2 +- templates/login.php | 2 +- templates/openvpn.php | 2 +- templates/restapi.php | 2 +- templates/system.php | 2 +- templates/system/advanced.php | 2 +- templates/system/basic.php | 2 +- templates/system/plugins.php | 2 +- templates/system/theme.php | 2 +- templates/system/tools.php | 2 +- templates/wireguard.php | 2 +- 16 files changed, 16 insertions(+), 16 deletions(-) diff --git a/templates/adblock.php b/templates/adblock.php index b51d6dd8..19f9c544 100755 --- a/templates/adblock.php +++ b/templates/adblock.php @@ -28,7 +28,7 @@
showMessages(); ?>
- + CSRFTokenFieldTag(); ?>
    • diff --git a/templates/admin.php b/templates/admin.php index c528e781..90d98988 100755 --- a/templates/admin.php +++ b/templates/admin.php @@ -19,7 +19,7 @@ showMessages(); ?>

    - + CSRFTokenFieldTag() ?>
    diff --git a/templates/configure_client.php b/templates/configure_client.php index bc1b39f1..d4649918 100755 --- a/templates/configure_client.php +++ b/templates/configure_client.php @@ -27,7 +27,7 @@
    - + CSRFTokenFieldTag() ?> diff --git a/templates/dashboard.php b/templates/dashboard.php index 394dcbf6..2b9a7ed6 100755 --- a/templates/dashboard.php +++ b/templates/dashboard.php @@ -30,7 +30,7 @@
    showMessages(); ?>
    - + CSRFTokenFieldTag() ?>
      diff --git a/templates/dhcp.php b/templates/dhcp.php index 40989763..1ba6d3b9 100755 --- a/templates/dhcp.php +++ b/templates/dhcp.php @@ -30,7 +30,7 @@
      showMessages(); ?> - + CSRFTokenFieldTag() ?>
        diff --git a/templates/hostapd.php b/templates/hostapd.php index e4eaee58..b802b208 100755 --- a/templates/hostapd.php +++ b/templates/hostapd.php @@ -50,7 +50,7 @@
        showMessages(); ?> - + CSRFTokenFieldTag() ?>
          diff --git a/templates/login.php b/templates/login.php index ab8cfbd0..3291364d 100755 --- a/templates/login.php +++ b/templates/login.php @@ -15,7 +15,7 @@
        - + CSRFTokenFieldTag() ?>
        diff --git a/templates/openvpn.php b/templates/openvpn.php index f2b839e8..2d923b54 100755 --- a/templates/openvpn.php +++ b/templates/openvpn.php @@ -29,7 +29,7 @@
        showMessages(); ?> - + CSRFTokenFieldTag() ?>
          • diff --git a/templates/restapi.php b/templates/restapi.php index 48e918d8..3a26ae20 100755 --- a/templates/restapi.php +++ b/templates/restapi.php @@ -28,7 +28,7 @@
          showMessages(); ?> - + CSRFTokenFieldTag() ?>
            • diff --git a/templates/system.php b/templates/system.php index 039614c4..64b25e82 100755 --- a/templates/system.php +++ b/templates/system.php @@ -11,7 +11,7 @@
            showMessages(); ?> - + CSRFTokenFieldTag() ?>
              diff --git a/templates/system/advanced.php b/templates/system/advanced.php index 0f110932..8b48e988 100644 --- a/templates/system/advanced.php +++ b/templates/system/advanced.php @@ -3,7 +3,7 @@

              - + CSRFTokenFieldTag() ?>
              diff --git a/templates/system/basic.php b/templates/system/basic.php index 4474e3d9..353743dd 100644 --- a/templates/system/basic.php +++ b/templates/system/basic.php @@ -56,7 +56,7 @@ include('includes/sysstats.php');
              - + CSRFTokenFieldTag() ?> " /> " /> diff --git a/templates/system/plugins.php b/templates/system/plugins.php index 4d875c49..1365a976 100644 --- a/templates/system/plugins.php +++ b/templates/system/plugins.php @@ -1,7 +1,7 @@

              - + CSRFTokenFieldTag() ?>
              - + CSRFTokenFieldTag() ?>
              diff --git a/templates/system/tools.php b/templates/system/tools.php index 32eb19ca..b38b2ced 100644 --- a/templates/system/tools.php +++ b/templates/system/tools.php @@ -2,7 +2,7 @@

              - + CSRFTokenFieldTag() ?>
              diff --git a/templates/wireguard.php b/templates/wireguard.php index 83669f7d..40bb1970 100755 --- a/templates/wireguard.php +++ b/templates/wireguard.php @@ -28,7 +28,7 @@
              showMessages(); ?>
              - + CSRFTokenFieldTag() ?>
                • From 8ad582b3b2b7f2ef8adbd722668c64d9dc2289d1 Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 05:23:52 -0700 Subject: [PATCH 08/24] Instantiate ExceptionHandler, CSRFTokenizer objects --- index.php | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/index.php b/index.php index 2117e8c4..e078adf6 100755 --- a/index.php +++ b/index.php @@ -23,13 +23,12 @@ * as you leave these references intact in the header comments of your source files. */ -require 'includes/session.php'; -require 'includes/csrf.php'; -ensureCSRFSessionToken(); - -require_once 'includes/exceptions.php'; require_once 'includes/config.php'; require_once 'includes/autoload.php'; +$handler = new RaspAP\Exceptions\ExceptionHandler; +$token = new RaspAP\Tokens\CSRFTokenizer; + +require_once 'includes/session.php'; require_once 'includes/defaults.php'; require_once 'includes/locale.php'; require_once 'includes/functions.php'; @@ -59,7 +58,7 @@ initializeApp(); > - + CSRFMetaTag() ?> From 49cb3911b87bc97bd1562fdc9ba94d8f7e505f9d Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 05:25:11 -0700 Subject: [PATCH 09/24] Fixup misnamed method getVpnManged -> getVpnManaged --- src/RaspAP/UI/Dashboard.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/RaspAP/UI/Dashboard.php b/src/RaspAP/UI/Dashboard.php index aac7212d..9e5bf9d8 100644 --- a/src/RaspAP/UI/Dashboard.php +++ b/src/RaspAP/UI/Dashboard.php @@ -24,7 +24,7 @@ class Dashboard { * @param string $interface * @return string */ - public function getVpnManged(?string $interface = null): ?string + public function getVpnManaged(?string $interface = null): ?string { return match ($interface) { 'wg0' => '/wg_conf', From 821ac9c1f8f4af0c573bdbb8e66ff3919af1466f Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 05:26:53 -0700 Subject: [PATCH 10/24] Numerous fixes to class methods --- src/RaspAP/Tokens/CSRFTokenizer.php | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/src/RaspAP/Tokens/CSRFTokenizer.php b/src/RaspAP/Tokens/CSRFTokenizer.php index b86e2f6a..9be05683 100644 --- a/src/RaspAP/Tokens/CSRFTokenizer.php +++ b/src/RaspAP/Tokens/CSRFTokenizer.php @@ -13,14 +13,13 @@ declare(strict_types=1); namespace RaspAP\Tokens; -class CSRFTokenizer -{ +class CSRFTokenizer { // Constructor public function __construct() { $this->ensureSession(); - if ($this->csrfValidateRequest() && !$this->CSRFValidate()) { + if ($this->csrfValidateRequest() && !$this->CSRFValidate($_SESSION['csrf_token'])) { $this->handleInvalidCSRFToken(); } } @@ -36,7 +35,7 @@ class CSRFTokenizer } /** - * Add CSRF Token to form + * Adds a CSRF Token to form */ public function CSRFTokenFieldTag(): string { @@ -49,8 +48,16 @@ class CSRFTokenizer */ public function CSRFMetaTag(): string { - $token = htmlspecialchars($_SESSION['csrf_token']); - return ''; + // if session has expired or user has logged out, + // create a new session and token + if (empty($_SESSION['csrf_token'])) { + $this->ensureSession(); + $this->ensureCSRFSessionToken(); + return $_SESSION['csrf_token']; + } else { + $token = htmlspecialchars($_SESSION['csrf_token']); + return ''; + } } /** @@ -60,8 +67,8 @@ class CSRFTokenizer */ public function CSRFValidate(string $token): bool { - if(isset($token) { - $header_token = $_SERVER['HTTP_X_CSRF_TOKEN']; + if(isset($token)) { + $header_token = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? ''; if (empty($token) && empty($header_token)) { return false; @@ -82,7 +89,7 @@ class CSRFTokenizer /** * Should the request be CSRF-validated? */ - public function csrfValidateRequest(): string + public function csrfValidateRequest(): bool { $request_method = strtolower($_SERVER['REQUEST_METHOD']); return in_array($request_method, [ "post", "put", "patch", "delete" ]); @@ -108,6 +115,7 @@ class CSRFTokenizer { if (session_status() == PHP_SESSION_NONE) { session_start(); + session_regenerate_id(true); } } } From 48e492bf10223d9062544a168735518121494319 Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 06:49:18 -0700 Subject: [PATCH 11/24] Ensure a CSRF token exists in session --- src/RaspAP/Tokens/CSRFTokenizer.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/RaspAP/Tokens/CSRFTokenizer.php b/src/RaspAP/Tokens/CSRFTokenizer.php index 9be05683..51603867 100644 --- a/src/RaspAP/Tokens/CSRFTokenizer.php +++ b/src/RaspAP/Tokens/CSRFTokenizer.php @@ -19,6 +19,12 @@ class CSRFTokenizer { public function __construct() { $this->ensureSession(); + + // ensure a CSRF token exists in the session + if (empty($_SESSION['csrf_token'])) { + $this->ensureCSRFSessionToken; + } + if ($this->csrfValidateRequest() && !$this->CSRFValidate($_SESSION['csrf_token'])) { $this->handleInvalidCSRFToken(); } From b0ba029c66aef6eda40b719fd9576aa8deaebc4c Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 13:23:58 -0700 Subject: [PATCH 12/24] Revert "Accept $token object, pass to renderTemplate()" This reverts commit b3c61782749559ae710b2bcc608ecf6f000650f5. --- includes/about.php | 5 ++--- includes/adblock.php | 6 ++--- includes/admin.php | 5 ++--- includes/configure_client.php | 11 ++-------- includes/dashboard.php | 9 ++++---- includes/dhcp.php | 5 ++--- includes/hostapd.php | 5 ++--- includes/login.php | 5 ++--- includes/openvpn.php | 5 ++--- includes/page_actions.php | 41 +++++++++++++++++------------------ includes/restapi.php | 19 +++++++--------- includes/system.php | 5 ++--- includes/wireguard.php | 5 ++--- 13 files changed, 54 insertions(+), 72 deletions(-) diff --git a/includes/about.php b/includes/about.php index 12bf1897..45008f2d 100755 --- a/includes/about.php +++ b/includes/about.php @@ -5,7 +5,7 @@ require_once "app/lib/Parsedown.php"; /** * Displays info about the RaspAP project */ -function DisplayAbout($token) +function DisplayAbout() { $Parsedown = new Parsedown(); $strContent = file_get_contents($_SERVER['DOCUMENT_ROOT'].'/BACKERS.md'); @@ -17,8 +17,7 @@ function DisplayAbout($token) echo renderTemplate( "about", compact( 'sponsorsHtml', - 'contributingHtml', - 'token' + 'contributingHtml' ) ); } diff --git a/includes/adblock.php b/includes/adblock.php index 75a751f0..ec6fb38d 100755 --- a/includes/adblock.php +++ b/includes/adblock.php @@ -6,7 +6,7 @@ require_once 'config.php'; * Manages ad blocking (dnsmasq) configuration * */ -function DisplayAdBlockConfig($token) +function DisplayAdBlockConfig() { $status = new \RaspAP\Messages\StatusMessage; $enabled = false; @@ -93,6 +93,7 @@ function DisplayAdBlockConfig($token) $adblock_log = "Unable to open log file"; } $logdata = getLogLimited(RASPI_DHCPCD_LOG, $adblock_log); + echo renderTemplate( "adblock", compact( "status", @@ -101,8 +102,7 @@ function DisplayAdBlockConfig($token) "enabled", "custom_enabled", "adblock_custom_content", - "logdata", - "token" + "logdata" ) ); } diff --git a/includes/admin.php b/includes/admin.php index c169a6f4..61dd21ed 100755 --- a/includes/admin.php +++ b/includes/admin.php @@ -1,6 +1,6 @@ getVpnManaged($vpn) : null; + if ($vpn) { + $vpnManaged = $dashboard->getVpnManged($vpn); + } $firewallManaged = $firewallStatus = ""; $firewallInstalled = array_filter($plugins, fn($p) => str_ends_with($p, 'Firewall')) ? true : false; if (!$firewallInstalled) { @@ -120,8 +122,7 @@ function DisplayDashboard(&$extraFooterScripts, $token): void "wirelessActive", "tetheringActive", "cellularActive", - "status", - "token" + "status" ) ); $extraFooterScripts[] = array('src'=>'app/js/dashboardchart.js', 'defer'=>false); diff --git a/includes/dhcp.php b/includes/dhcp.php index 2986c602..fd6a47ac 100755 --- a/includes/dhcp.php +++ b/includes/dhcp.php @@ -5,7 +5,7 @@ require_once 'config.php'; /** * Manage DHCP configuration */ -function DisplayDHCPConfig($token) +function DisplayDHCPConfig() { $status = new \RaspAP\Messages\StatusMessage; if (!RASPI_MONITOR_ENABLED) { @@ -74,8 +74,7 @@ function DisplayDHCPConfig($token) "upstreamServers", "interfaces", "leases", - "logdata", - "token" + "logdata" ) ); } diff --git a/includes/hostapd.php b/includes/hostapd.php index 6483c425..99b24fe3 100755 --- a/includes/hostapd.php +++ b/includes/hostapd.php @@ -9,7 +9,7 @@ getWifiInterface(); * Initialize hostapd values, display interface * */ -function DisplayHostAPDConfig($token) +function DisplayHostAPDConfig() { $status = new \RaspAP\Messages\StatusMessage; $system = new \RaspAP\System\Sysinfo; @@ -165,8 +165,7 @@ function DisplayHostAPDConfig($token) "operatingSystem", "selectedHwMode", "countryCodes", - "logdata", - "token" + "logdata" ) ); } diff --git a/includes/login.php b/includes/login.php index 742ff6c1..e3084a27 100755 --- a/includes/login.php +++ b/includes/login.php @@ -6,7 +6,7 @@ require_once 'includes/functions.php'; /** * Handler for administrative user login */ -function DisplayLogin($token) +function DisplayLogin() { // initialize auth object $auth = new \RaspAP\Auth\HTTPAuth; @@ -33,8 +33,7 @@ function DisplayLogin($token) echo renderTemplate( "login", compact( "status", - "redirectUrl", - "token" + "redirectUrl" ) ); } diff --git a/includes/openvpn.php b/includes/openvpn.php index 9c2c4418..2b59666b 100755 --- a/includes/openvpn.php +++ b/includes/openvpn.php @@ -8,7 +8,7 @@ getWifiInterface(); /** * Manage OpenVPN configuration */ -function DisplayOpenVPNConfig($token) +function DisplayOpenVPNConfig() { $status = new \RaspAP\Messages\StatusMessage; if (!RASPI_MONITOR_ENABLED) { @@ -79,8 +79,7 @@ function DisplayOpenVPNConfig($token) "authUser", "authPassword", "clients", - "conf_default", - "token" + "conf_default" ) ); } diff --git a/includes/page_actions.php b/includes/page_actions.php index 28606e07..c9649792 100755 --- a/includes/page_actions.php +++ b/includes/page_actions.php @@ -9,7 +9,7 @@ $page = $_SERVER['PATH_INFO']; // Check if any plugin wants to handle the request if (!$pluginManager->handlePageAction($page)) { // If no plugin is available fall back to core page action handlers - handleCorePageAction($page, $extraFooterScripts, $token); + handleCorePageAction($page, $extraFooterScripts); } /** @@ -17,65 +17,64 @@ if (!$pluginManager->handlePageAction($page)) { * * @param string $page * @param array $extraFooterScripts - * @param object $token * @return void */ -function handleCorePageAction(string $page, array &$extraFooterScripts, object $token): void +function handleCorePageAction(string $page, array &$extraFooterScripts): void { switch ($page) { case "/wlan0_info": - DisplayDashboard($extraFooterScripts, $token); + DisplayDashboard($extraFooterScripts); break; case "/dhcpd_conf": - DisplayDHCPConfig($token); + DisplayDHCPConfig(); break; case "/wpa_conf": - DisplayWPAConfig($token); + DisplayWPAConfig(); break; case "/network_conf": - DisplayNetworkingConfig($token); + DisplayNetworkingConfig(); break; case "/hostapd_conf": - DisplayHostAPDConfig($token); + DisplayHostAPDConfig(); break; case "/adblock_conf": - DisplayAdBlockConfig($token); + DisplayAdBlockConfig(); break; case "/openvpn_conf": - DisplayOpenVPNConfig($token); + DisplayOpenVPNConfig(); break; case "/wg_conf": - DisplayWireGuardConfig($token); + DisplayWireGuardConfig(); break; case "/provider_conf": - DisplayProviderConfig($token); + DisplayProviderConfig(); break; case "/torproxy_conf": - DisplayTorProxyConfig($token); + DisplayTorProxyConfig(); break; case "/auth_conf": - DisplayAuthConfig($_SESSION['user_id'], $token); + DisplayAuthConfig($_SESSION['user_id']); break; case "/save_hostapd_conf": - SaveTORAndVPNConfig($token); + SaveTORAndVPNConfig(); break; case "/data_use": - DisplayDataUsage($extraFooterScripts, $token); + DisplayDataUsage($extraFooterScripts); break; case "/system_info": - DisplaySystem($extraFooterScripts, $token); + DisplaySystem($extraFooterScripts); break; case "/restapi_conf": - DisplayRestAPI($token); + DisplayRestAPI(); break; case "/about": - DisplayAbout($token); + DisplayAbout(); break; case "/login": - DisplayLogin($token); + DisplayLogin(); break; default: - DisplayDashboard($extraFooterScripts, $token); + DisplayDashboard($extraFooterScripts); } } diff --git a/includes/restapi.php b/includes/restapi.php index 621e390f..4c11cfce 100755 --- a/includes/restapi.php +++ b/includes/restapi.php @@ -6,7 +6,7 @@ require_once 'config.php'; /** * Handler for RestAPI settings */ -function DisplayRestAPI($token) +function DisplayRestAPI() { // initialize status object $status = new \RaspAP\Messages\StatusMessage; @@ -59,16 +59,13 @@ function DisplayRestAPI($token) $docMsg = sprintf(_("RestAPI docs are accessible here %s"),$docUrl, $faicon); } - echo renderTemplate( - "restapi", compact( - "status", - "apiKey", - "serviceStatus", - "serviceLog", - "docMsg", - "token" - ) - ); + echo renderTemplate("restapi", compact( + "status", + "apiKey", + "serviceStatus", + "serviceLog", + "docMsg" + )); } /** diff --git a/includes/system.php b/includes/system.php index addaeea2..d37a5450 100755 --- a/includes/system.php +++ b/includes/system.php @@ -6,7 +6,7 @@ require_once 'config.php'; /** * */ -function DisplaySystem(&$extraFooterScripts, $token) +function DisplaySystem(&$extraFooterScripts) { $status = new \RaspAP\Messages\StatusMessage; $dashboard = new \RaspAP\UI\Dashboard; @@ -146,8 +146,7 @@ function DisplaySystem(&$extraFooterScripts, $token) "themes", "selectedTheme", "logLimit", - "pluginsTable", - "token" + "pluginsTable" )); } diff --git a/includes/wireguard.php b/includes/wireguard.php index 5a04801a..f6beb3dd 100755 --- a/includes/wireguard.php +++ b/includes/wireguard.php @@ -5,7 +5,7 @@ require_once 'config.php'; /** * Displays wireguard server & peer configuration */ -function DisplayWireGuardConfig($token) +function DisplayWireGuardConfig() { $status = new \RaspAP\Messages\StatusMessage; $parseFlag = true; @@ -98,8 +98,7 @@ function DisplayWireGuardConfig($token) "wg_pendpoint", "wg_pallowedips", "wg_pkeepalive", - "wg_log", - "token" + "wg_log" ) ); } From 5584e3b72c5a06bab66d7995a013e2ddf2ff1b1b Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 13:58:52 -0700 Subject: [PATCH 13/24] Initial commit --- includes/CSRF.php | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 includes/CSRF.php diff --git a/includes/CSRF.php b/includes/CSRF.php new file mode 100644 index 00000000..361c8fbb --- /dev/null +++ b/includes/CSRF.php @@ -0,0 +1,42 @@ +getToken(); + } + + public static function verify(): bool + { + return self::instance()->csrfValidateRequest() && self::instance()->CSRFValidate($_POST['csrf_token'] ?? ''); + } + + public static function metaTag(): string + { + return self::getInstance()->CSRFMetaTag(); + } + + public static function hiddenField(): string + { + return self::getInstance()->CSRFTokenFieldTag(); + } + + public static function handleInvalidToken(): void + { + self::instance()->handleInvalidCSRFToken(); + } +} + From a1550d80496bbf6c792643d4a95f7048ced069a6 Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 14:00:24 -0700 Subject: [PATCH 14/24] Refactor templates to use CSRF facade --- templates/adblock.php | 2 +- templates/admin.php | 2 +- templates/configure_client.php | 2 +- templates/dashboard.php | 2 +- templates/dhcp.php | 2 +- templates/hostapd.php | 2 +- templates/login.php | 2 +- templates/openvpn.php | 2 +- templates/restapi.php | 2 +- templates/system.php | 2 +- templates/system/advanced.php | 2 +- templates/system/basic.php | 2 +- templates/system/plugins.php | 2 +- templates/system/theme.php | 2 +- templates/system/tools.php | 2 +- templates/wireguard.php | 2 +- 16 files changed, 16 insertions(+), 16 deletions(-) diff --git a/templates/adblock.php b/templates/adblock.php index 19f9c544..d28f4dc3 100755 --- a/templates/adblock.php +++ b/templates/adblock.php @@ -28,7 +28,7 @@
                showMessages(); ?> - CSRFTokenFieldTag(); ?> +
                  • diff --git a/templates/admin.php b/templates/admin.php index 90d98988..ac487ea1 100755 --- a/templates/admin.php +++ b/templates/admin.php @@ -19,7 +19,7 @@ showMessages(); ?>

                  - CSRFTokenFieldTag() ?> +
                  diff --git a/templates/configure_client.php b/templates/configure_client.php index d4649918..60008524 100755 --- a/templates/configure_client.php +++ b/templates/configure_client.php @@ -27,7 +27,7 @@
                  - CSRFTokenFieldTag() ?> + diff --git a/templates/dashboard.php b/templates/dashboard.php index 2b9a7ed6..c7db88f0 100755 --- a/templates/dashboard.php +++ b/templates/dashboard.php @@ -30,7 +30,7 @@
                  showMessages(); ?>
                  - CSRFTokenFieldTag() ?> +
                    diff --git a/templates/dhcp.php b/templates/dhcp.php index 1ba6d3b9..b83a6444 100755 --- a/templates/dhcp.php +++ b/templates/dhcp.php @@ -30,7 +30,7 @@
                    showMessages(); ?> - CSRFTokenFieldTag() ?> +
                      diff --git a/templates/hostapd.php b/templates/hostapd.php index b802b208..ccdc1a62 100755 --- a/templates/hostapd.php +++ b/templates/hostapd.php @@ -50,7 +50,7 @@
                      showMessages(); ?> - CSRFTokenFieldTag() ?> +
                        diff --git a/templates/login.php b/templates/login.php index 3291364d..071876c7 100755 --- a/templates/login.php +++ b/templates/login.php @@ -15,7 +15,7 @@
                      - CSRFTokenFieldTag() ?> +
                      diff --git a/templates/openvpn.php b/templates/openvpn.php index 2d923b54..4b583204 100755 --- a/templates/openvpn.php +++ b/templates/openvpn.php @@ -29,7 +29,7 @@
                      showMessages(); ?> - CSRFTokenFieldTag() ?> +
                        • diff --git a/templates/restapi.php b/templates/restapi.php index 3a26ae20..63494a21 100755 --- a/templates/restapi.php +++ b/templates/restapi.php @@ -28,7 +28,7 @@
                        showMessages(); ?> - CSRFTokenFieldTag() ?> +
                          • diff --git a/templates/system.php b/templates/system.php index 64b25e82..fd4485f5 100755 --- a/templates/system.php +++ b/templates/system.php @@ -11,7 +11,7 @@
                          showMessages(); ?> - CSRFTokenFieldTag() ?> +
                            diff --git a/templates/system/advanced.php b/templates/system/advanced.php index 8b48e988..66612f16 100644 --- a/templates/system/advanced.php +++ b/templates/system/advanced.php @@ -3,7 +3,7 @@

                            - CSRFTokenFieldTag() ?> +
                            diff --git a/templates/system/basic.php b/templates/system/basic.php index 353743dd..c3d4cba0 100644 --- a/templates/system/basic.php +++ b/templates/system/basic.php @@ -56,7 +56,7 @@ include('includes/sysstats.php');
                            - CSRFTokenFieldTag() ?> + " /> " /> diff --git a/templates/system/plugins.php b/templates/system/plugins.php index 1365a976..481d222b 100644 --- a/templates/system/plugins.php +++ b/templates/system/plugins.php @@ -1,7 +1,7 @@

                            - CSRFTokenFieldTag() ?> +
                            - CSRFTokenFieldTag() ?> +
                            diff --git a/templates/system/tools.php b/templates/system/tools.php index b38b2ced..cfa92fd2 100644 --- a/templates/system/tools.php +++ b/templates/system/tools.php @@ -2,7 +2,7 @@

                            - CSRFTokenFieldTag() ?> +
                            diff --git a/templates/wireguard.php b/templates/wireguard.php index 40bb1970..ffcfb6d1 100755 --- a/templates/wireguard.php +++ b/templates/wireguard.php @@ -28,7 +28,7 @@
                            showMessages(); ?>
                            - CSRFTokenFieldTag() ?> +
                              • From 8d482845b0a1a46d91e7777167028eda4d503eca Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 14:02:51 -0700 Subject: [PATCH 15/24] Replace explicit token instantiation w/ includes/CSRF.php --- index.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/index.php b/index.php index e078adf6..bb769ba7 100755 --- a/index.php +++ b/index.php @@ -25,6 +25,7 @@ require_once 'includes/config.php'; require_once 'includes/autoload.php'; +require_once 'includes/CSRF.php'; $handler = new RaspAP\Exceptions\ExceptionHandler; $token = new RaspAP\Tokens\CSRFTokenizer; @@ -58,7 +59,7 @@ initializeApp(); > - CSRFMetaTag() ?> + From 3d6b4e1f1579bd555660e527c0068d5a1a8443b4 Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 14:04:29 -0700 Subject: [PATCH 16/24] Simplify getVpnManaged check with ternary operator --- includes/dashboard.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/includes/dashboard.php b/includes/dashboard.php index 099fbb2a..bf2b9c18 100755 --- a/includes/dashboard.php +++ b/includes/dashboard.php @@ -74,9 +74,7 @@ function DisplayDashboard(&$extraFooterScripts): void $varName = "freq" . str_replace('.', '', $frequency) . "active"; $$varName = "active"; $vpnStatus = $vpn ? "active" : "inactive"; - if ($vpn) { - $vpnManaged = $dashboard->getVpnManged($vpn); - } + $vpnManaged = $vpn ? $dashboard->getVpnManaged($vpn) : null; $firewallManaged = $firewallStatus = ""; $firewallInstalled = array_filter($plugins, fn($p) => str_ends_with($p, 'Firewall')) ? true : false; if (!$firewallInstalled) { From d6c8ac32a75903a6833d671fc3e224d013449aee Mon Sep 17 00:00:00 2001 From: billz Date: Tue, 25 Mar 2025 14:05:34 -0700 Subject: [PATCH 17/24] Fix call to class method --- src/RaspAP/Tokens/CSRFTokenizer.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/RaspAP/Tokens/CSRFTokenizer.php b/src/RaspAP/Tokens/CSRFTokenizer.php index 51603867..8fa68c91 100644 --- a/src/RaspAP/Tokens/CSRFTokenizer.php +++ b/src/RaspAP/Tokens/CSRFTokenizer.php @@ -22,7 +22,7 @@ class CSRFTokenizer { // ensure a CSRF token exists in the session if (empty($_SESSION['csrf_token'])) { - $this->ensureCSRFSessionToken; + $this->ensureCSRFSessionToken(); } if ($this->csrfValidateRequest() && !$this->CSRFValidate($_SESSION['csrf_token'])) { From 484b89718a405e6395a19af7605d2e7b19144b78 Mon Sep 17 00:00:00 2001 From: billz Date: Wed, 26 Mar 2025 04:00:34 -0700 Subject: [PATCH 18/24] Add validateRequest(), token check outside class --- includes/CSRF.php | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/includes/CSRF.php b/includes/CSRF.php index 361c8fbb..6329dfee 100644 --- a/includes/CSRF.php +++ b/includes/CSRF.php @@ -6,7 +6,12 @@ class CSRF { protected static ?CSRFTokenizer $instance = null; - protected static function getInstance(): CSRFTokenizer + /* + * Get the CSRFTokenizer instance (singleton) + * + * @return CSRFTokenizer + */ + public static function instance(): CSRFTokenizer { if (self::$instance === null) { self::$instance = new CSRFTokenizer(); @@ -21,22 +26,41 @@ class CSRF public static function verify(): bool { - return self::instance()->csrfValidateRequest() && self::instance()->CSRFValidate($_POST['csrf_token'] ?? ''); + $token = $_POST['csrf_token']; + return self::instance()->csrfValidateRequest() && + self::instance()->CSRFValidate($_POST['csrf_token'] ?? ''); } public static function metaTag(): string { - return self::getInstance()->CSRFMetaTag(); + return self::instance()->CSRFMetaTag(); } public static function hiddenField(): string { - return self::getInstance()->CSRFTokenFieldTag(); + return self::instance()->CSRFTokenFieldTag(); } public static function handleInvalidToken(): void { self::instance()->handleInvalidCSRFToken(); } + + /** + * Validates a CSRF Request + * + * @return bool + */ + public static function validateRequest(): bool + { + return self::instance()->csrfValidateRequest(); + } +} + +if (\RaspAP\Tokens\CSRF::validateRequest()) { + if (!\RaspAP\Tokens\CSRF::verify()) { + error_log("CSRF verification failed. Token: " . ($_POST['csrf_token'] ?? 'not provided')); + \RaspAP\Tokens\CSRF::handleInvalidToken(); + } } From 47d7c121de1cd085fab1b1348e7cf5efb28e7fce Mon Sep 17 00:00:00 2001 From: billz Date: Wed, 26 Mar 2025 04:01:09 -0700 Subject: [PATCH 19/24] Generate new session id on logout() --- src/RaspAP/Auth/HTTPAuth.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/RaspAP/Auth/HTTPAuth.php b/src/RaspAP/Auth/HTTPAuth.php index a28f9212..d5fcf215 100755 --- a/src/RaspAP/Auth/HTTPAuth.php +++ b/src/RaspAP/Auth/HTTPAuth.php @@ -79,6 +79,7 @@ class HTTPAuth */ public function logout(): void { + session_regenerate_id(true); // generate a new session id session_unset(); // unset all session variables session_destroy(); // destroy the session $redirectUrl = $_SERVER['REQUEST_URI']; From bfab3d7441ab297cff2d09f1f0a1aaa12a61f0bf Mon Sep 17 00:00:00 2001 From: billz Date: Wed, 26 Mar 2025 04:02:48 -0700 Subject: [PATCH 20/24] Revise CSRFValidate() --- src/RaspAP/Tokens/CSRFTokenizer.php | 43 +++++++++++++++++------------ 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/src/RaspAP/Tokens/CSRFTokenizer.php b/src/RaspAP/Tokens/CSRFTokenizer.php index 8fa68c91..be13fdab 100644 --- a/src/RaspAP/Tokens/CSRFTokenizer.php +++ b/src/RaspAP/Tokens/CSRFTokenizer.php @@ -25,8 +25,11 @@ class CSRFTokenizer { $this->ensureCSRFSessionToken(); } - if ($this->csrfValidateRequest() && !$this->CSRFValidate($_SESSION['csrf_token'])) { - $this->handleInvalidCSRFToken(); + if ($this->csrfValidateRequest()) { + $token = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? ''; + if (!$this->CSRFValidate($token)) { + $this->handleInvalidCSRFToken(); + } } } @@ -37,6 +40,7 @@ class CSRFTokenizer { { if (empty($_SESSION['csrf_token'])) { $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); + $token = $_SESSION['csrf_token']; } } @@ -73,22 +77,26 @@ class CSRFTokenizer { */ public function CSRFValidate(string $token): bool { - if(isset($token)) { - $header_token = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? ''; + if (empty($_SESSION['csrf_token']) || !is_string($_SESSION['csrf_token'])) { + error_log('Session expired or CSRF token is missing.'); + header('Location: /login'); + exit; + } - if (empty($token) && empty($header_token)) { - return false; - } - $request_token = $token; - if (empty($token)) { - $request_token = $header_token; - } - if (hash_equals($_SESSION['csrf_token'], $request_token)) { - return true; - } else { - error_log('CSRF violation'); - return false; - } + $post_token = $token ?? null; + $header_token = $_SERVER['HTTP_X_CSRF_TOKEN'] ?? null; + + if (empty($post_token) && is_null($header_token)) { + error_log('CSRF token missing in the request'); + return false; + } + $request_token = $post_token ?: $header_token; + + if (hash_equals($_SESSION['csrf_token'], $request_token)) { + return true; + } else { + error_log('CSRF token mismatch'); + return false; } } @@ -121,7 +129,6 @@ class CSRFTokenizer { { if (session_status() == PHP_SESSION_NONE) { session_start(); - session_regenerate_id(true); } } } From 4a4506a913e047e040905f57e9dd8937aaef4930 Mon Sep 17 00:00:00 2001 From: billz Date: Wed, 26 Mar 2025 04:03:37 -0700 Subject: [PATCH 21/24] Update with CSRF::hiddenField() --- templates/provider.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/provider.php b/templates/provider.php index 9f969fa7..3e1976f6 100755 --- a/templates/provider.php +++ b/templates/provider.php @@ -28,7 +28,7 @@
                              showMessages(); ?> - +
                                • From 0960e8bac9e20619e8a0f92c88b61a116009bd35 Mon Sep 17 00:00:00 2001 From: billz Date: Wed, 26 Mar 2025 04:05:39 -0700 Subject: [PATCH 22/24] Add CSRF protection include --- ajax/adblock/update_blocklist.php | 1 + ajax/bandwidth/get_bandwidth.php | 1 + ajax/bandwidth/get_bandwidth_hourly.php | 1 + ajax/logging/clearlog.php | 1 + ajax/networking/do_sys_reset.php | 44 ++++++++++--------------- ajax/networking/get_all_interfaces.php | 1 + ajax/networking/get_channel.php | 2 ++ ajax/networking/get_frequencies.php | 1 + ajax/networking/get_ip_summary.php | 1 + ajax/networking/get_netcfg.php | 1 + ajax/networking/get_nl80211_band.php | 1 + ajax/networking/get_wgcfg.php | 1 + ajax/networking/get_wgkey.php | 1 + ajax/networking/wifi_stations.php | 1 + ajax/openvpn/activate_ovpncfg.php | 1 + ajax/openvpn/del_ovpncfg.php | 1 + ajax/plugins/do_plugin_install.php | 1 + ajax/session/do_check_session.php | 1 + ajax/system/sys_actions.php | 5 ++- ajax/system/sys_chk_update.php | 33 ++++++++----------- ajax/system/sys_debug.php | 31 +++++++---------- ajax/system/sys_get_logfile.php | 5 ++- ajax/system/sys_perform_update.php | 5 ++- ajax/system/sys_read_logfile.php | 4 +-- 24 files changed, 70 insertions(+), 75 deletions(-) diff --git a/ajax/adblock/update_blocklist.php b/ajax/adblock/update_blocklist.php index f21cb4aa..f21ed4cd 100644 --- a/ajax/adblock/update_blocklist.php +++ b/ajax/adblock/update_blocklist.php @@ -1,5 +1,6 @@ csrfValidateRequest() && !$token->CSRFValidate()) { - $token->handleInvalidCSRFToken(); - } - $return = 0; - $path = "../../config"; - $configs = array( - array("src" => $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG), - array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG), - array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'), - array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'), - ); +$return = 0; +$path = "../../config"; +$configs = array( + array("src" => $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG), + array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG), + array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'), + array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'), +); - foreach ($configs as $config) { - try { - $tmp = file_get_contents($config["src"]); - file_put_contents($config["tmp"], $tmp); - system("sudo cp ".$config["tmp"]. " ".$config["dest"]); - } catch (Exception $e) { - $return = $e->getCode(); - } +foreach ($configs as $config) { + try { + $tmp = file_get_contents($config["src"]); + file_put_contents($config["tmp"], $tmp); + system("sudo cp ".$config["tmp"]. " ".$config["dest"]); + } catch (Exception $e) { + $return = $e->getCode(); } - $jsonData = ['return'=>$return]; - echo json_encode($jsonData); - -} else { - $token->handleInvalidCSRFToken(); } +$jsonData = ['return'=>$return]; +echo json_encode($jsonData); diff --git a/ajax/networking/get_all_interfaces.php b/ajax/networking/get_all_interfaces.php index 2953b734..0fb33fe1 100644 --- a/ajax/networking/get_all_interfaces.php +++ b/ajax/networking/get_all_interfaces.php @@ -1,5 +1,6 @@ Date: Wed, 26 Mar 2025 09:51:39 -0700 Subject: [PATCH 23/24] When session token expires, redirect instead of returning a 500 error --- src/RaspAP/Tokens/CSRFTokenizer.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/RaspAP/Tokens/CSRFTokenizer.php b/src/RaspAP/Tokens/CSRFTokenizer.php index be13fdab..d3925f45 100644 --- a/src/RaspAP/Tokens/CSRFTokenizer.php +++ b/src/RaspAP/Tokens/CSRFTokenizer.php @@ -23,6 +23,8 @@ class CSRFTokenizer { // ensure a CSRF token exists in the session if (empty($_SESSION['csrf_token'])) { $this->ensureCSRFSessionToken(); + header("Location: " .$_SERVER['REQUEST_URI']); + exit; } if ($this->csrfValidateRequest()) { @@ -40,7 +42,6 @@ class CSRFTokenizer { { if (empty($_SESSION['csrf_token'])) { $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); - $token = $_SESSION['csrf_token']; } } From 5f1b16bc74d6e77c2a5300520b1d8cf09e1c396d Mon Sep 17 00:00:00 2001 From: billz Date: Wed, 26 Mar 2025 11:19:00 -0700 Subject: [PATCH 24/24] Remove instantiation of $token --- index.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/index.php b/index.php index bb769ba7..1f2dc254 100755 --- a/index.php +++ b/index.php @@ -25,10 +25,9 @@ require_once 'includes/config.php'; require_once 'includes/autoload.php'; -require_once 'includes/CSRF.php'; $handler = new RaspAP\Exceptions\ExceptionHandler; -$token = new RaspAP\Tokens\CSRFTokenizer; +require_once 'includes/CSRF.php'; require_once 'includes/session.php'; require_once 'includes/defaults.php'; require_once 'includes/locale.php';