frodovdr/raspap-webgui
1
0
Fork 0
mirror of https://github.com/billz/raspap-webgui.git synced 2023-10-10 13:37:24 +02:00
Code Issues Releases Wiki Activity

Add CSRF token to password change page

Browse Source
This commit is contained in:
Joe Haig 2016-06-24 22:39:39 +01:00
parent f98af5c60b
commit 5c2492e785
3 changed files with 52 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
includes/admin.php
View File

@ -13,26 +13,30 @@ function Status($message, $level='success', $dismissable=true) {
function DisplayAuthConfig($username, $password){ function DisplayAuthConfig($username, $password){
$status = ''; $status = '';
if (isset($_POST['UpdateAdminPassword'])) { if (isset($_POST['UpdateAdminPassword'])) {
if (password_verify($_POST['oldpass'], $password)) { if (CSRFValidate()) {
$new_username=trim($_POST['username']); if (password_verify($_POST['oldpass'], $password)) {
if ($_POST['newpass'] != $_POST['newpassagain']) { $new_username=trim($_POST['username']);
$status = Status('New passwords do not match', 'danger'); if ($_POST['newpass'] != $_POST['newpassagain']) {
} else if ($new_username == '') { $status = Status('New passwords do not match', 'danger');
$status = Status('Username must not be empty', 'danger'); } else if ($new_username == '') {
} else { $status = Status('Username must not be empty', 'danger');
if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
fwrite($auth_file, $new_username.PHP_EOL);
fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
fclose($auth_file);
$username = $new_username;
$status = Status('Admin password updated');
} else { } else {
$status = Status('Failed to update admin password', 'danger'); if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
fwrite($auth_file, $new_username.PHP_EOL);
fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
fclose($auth_file);
$username = $new_username;
$status = Status('Admin password updated');
} else {
$status = Status('Failed to update admin password', 'danger');
}
} }
} else {
$status = Status('Old password does not match', 'danger');
} }
} else { } else {
$status = Status('Old password does not match', 'danger'); // Log something
} }
} }
?> ?>
<div class="row"> <div class="row">
@ -42,6 +46,7 @@ function DisplayAuthConfig($username, $password){
<div class="panel-body"> <div class="panel-body">
<p><?php echo $status; ?></p> <p><?php echo $status; ?></p>
<form role="form" action="/?page=admin_conf" method="POST"> <form role="form" action="/?page=admin_conf" method="POST">
<?php CSRFToken() ?>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="username">Username</label> <label for="username">Username</label>

20
includes/functions.php
View File

@ -1,5 +1,25 @@
<?php <?php
/**
*
* Add CSRF Token to form
*
*/
function CSRFToken() {
?>
<input type="hidden" name="csrf_token" value="<?php echo $csrf_token; ?>" />
<?php
}
/**
*
* Validate CSRF Token
*
*/
function CSRFValidate() {
return hash_equals($_POST['csrf_token'], $_SESSION['csrf_token']);
}
/** /**
* *
* @param string $input * @param string $input

10
index.php
View File

@ -44,6 +44,16 @@ include_once( 'includes/functions.php' );
$output = $return = 0; $output = $return = 0;
$page = $_GET['page']; $page = $_GET['page'];
session_start();
if (empty($_SESSION['csrf_token'])) {
if (function_exists('mcrypt_create_iv')) {
$_SESSION['csrf_token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
} else {
$_SESSION['csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
}
}
$csrf_token = $_SESSION['csrf_token'];
?> ?>
<!DOCTYPE html> <!DOCTYPE html>